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Abstract. In this thesis we study natural deduction proof systems for discrete 
time linear temporal logics. 

We start defining a proof system for a simple logic for which no induction 
rule is needed. The resulting proof system is simple and its rules for modal 
operators are close to the quantifiers rules in predicate logic. 

We prove that standard proof theoretic properties of predicate logic hold also 
for this system. In particular we prove that the system enjoys normalization 
property and that its intuitionistic fragment enjoys disjunction property and 
existential property. 

Then we extend the previous system to cope with linear temporal logic and we 
consider several different modal operator. The new system require an induction 
rule and is not normalizing. 

We recover the normalization property defining a new proof system with an 
infinitary rule. We show that this new system is equivalent to the system based 
on the inductive rule as long as we consider finite set of formulas. 

Starting from our first proof system, we devise a term calculus that gives a 
computational reading to the temporal operators of intuitionistic temporal 
logic. We argue about its application in staged evaluation by defining a basic 
language with constructs for boxed code and delayed evaluation. 

Finally we briefly show how the proof systems defined in this thesis can be 
faithfully encoded in logical frameworks. 
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Chapter 1 


Introduction 


In this thesis we are mainly concerned with temporal logics [GHR94] and systems of 
natural deduction [Pra65]. The kind of temporal logics considered here range from 
a simple bimodal logic to past tense temporal logic with until. For each one of these 
a proof system in natural deduction style is introduced and investigated. 

Starting from the seminal paper of Pnueli [Pnu77], in which temporal logic is 
presented as a tool for the specification and verification of the behaviour of reactive 
systems, temporal logics found its way in many different areas of Computer Science. 
Nowadays temporal logic is a main ingredient in the study of temporal database, 
in specification, verification and synthesis of concurrent systems [CES86, Lam94], 
in linguistics and in many other areas (for a detailed list of applications see also 
[GHR94]). 

The term temporal logic is often used to denote the broad class of logical system 
that are aimed to the representation of temporal information. Several different 
approaches have been developed in this direction, among these we will focus on the 
approaches based on modal logics (see [Che90]). 

Temporal Logic (or Tense Logic) arise from the seminal studies made by Arthur 
Prior around 1960 (see for a survey [Pri68]). The basic linguistic constructs of 
temporal modal logics are called modal operators (or quantifiers). In the original 
works of Prior, he introduced two modal operators with intended meaning “It will at 
some time be the case that” and “It will always be the case that” (usually denoted 
with O and ©). 

The work of Prior opened a wide spectrum of possibilities for the modeling of 
time in logical systems. 

From the semantic point of view, flow of time is described as a relation among 
events; when described in mathematical structures the events take the name of 
worlds and the relation take the name of accessibility relation. According to the 
context in which temporal logic is applied, several different choices are available for 
the formalization of the accessibility relation. 

In application of temporal logic to computer science, the accessibility relation 
is usually discrete (given each event there exists a set of successors for that event) 
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since it describe the evolution of systems that compute in steps. Another possibility 
is that of having a dense relation (for each pair of ordered events exists always a 
third event that follows the former and precede the latter). 

Again, in computer science, it is usually the case that we are interested in the 
description of a system starting from a given event, say the boot time of the system. 
Conversely we could also consider a relation in which for each event there exists 
another event that precedes it in time. 

In the former case we consider a time structure that extends infinitely in the 
future (it is usually unnecessary to consider an end point in time), in the latter we 
obtain a time structure that extends infinitely both in the past and in the future. 

Another common property of discrete accessibility relations is linearity; in linear 
temporal logic it is assumed that each event has exactly one successor in time. Con- 
versely in branching time temporal logic each event may have one or more successor 
in time. 

Also from the syntactic point of view there is a number of different systems that 
are generally referred to with the generic name of temporal logic. Beyond the basic 
modal operators denoting possibility and necessity in the future several other modal 
operators have been introduced and investigated. 

Notably, in discrete time temporal logic a modal operator have been introduced 
with the meaning “in the next time it will be the case that”. Moreover modal 
operators for the quantification over the past and for “bounded” quantification have 
been studied. 

Most of these studies follow the same methodology that has been developed for 
the study of modal logics. In particular most of the works present axiomatic systems 
and no great investigation has been made toward other approaches. 

A particularly successful logic formalism in computer science is natural deduc- 
tion. Natural deduction systems have been introduced in 1935 by Gerhard Gentzen 
[Gen69] and, starting with the study of Dag Prawitz in [Pra65], have become object 
of deep investigation in logic and in computer science. 

The first motivation leading to the definition of natural deduction systems is 
that of mirroring the human reasoning in the process of developing proofs. 

Instead of being defined by a set of truth assumed axiomatically, a natural deduc- 
tion system is defined by a set of inference rules. Each logical constant is completely 
described in the system by a set of introduction and elimination rules. A formula 
with a given logical constant may only be introduced starting from a set of assump- 
tions described by the introduction rules for that logical constant. Symmetrically 
the only formulas that can be deduced assuming a formula with a given logical 
constant are specified by elimination rules for that logical constant. 

The reasons for the success of natural deduction systems in computer science are 
manyfold. 

First, respect to Hilbert style proofs, natural deduction proofs are more easily 
managed by humans. This is particularly relevant in the context of logical frame- 
works (|Pfe96] provides an index for the subject) in which a computer program assist 


the user in the development of formal proofs. 

Second, natural deduction proofs have a rich syntactic structure that can be 
exploited to obtain (syntactically) interesting meta-theoretical results. For instance 
the well known normalization property of the natural deduction system for predicate 
logic can be used to prove the consistency of predicate logic. 

Also, by means of the Curry-Howard isomorphism [How80], a deep connection 
has been drawn among (a class of) natural deduction systems and (a class of) calculi. 
Moreover the type disciplines of many calculi can be seen as an application of the 
Curry-Howard isomorphism to a given natural deduction system. Conversely, in 
many case, calculi can be seen as (computational) interpretations of logical systems 
defined by a natural deduction system. 

In the area of temporal logic (and more in general in modal logic) natural de- 
duction systems have been mostly neglected. The first attempt to devise a natural 
deduction system for modal logic has been made by Prawitz in [Pra65]. 

In his work Prawitz introduced three natural deduction systems for modal logics 
S4 and $5 (for sake of discussion we will refer here only to the first). 54 is a modal 
logic with reflexive, transitive accessibility relation and with modal operators O for 
necessity and © possibility. 

The peculiar rules of his systems are the introduction rules for 0, these are 
translations of the axiomatic inference rule of necessitation (if formula vy is a theorem, 
so is also Oy). Unfortunately, the necessitation rule interacts poorly with the notion 
of assumption in natural deduction systems. 

In the first formulation, the 0 introduction rule require: (i) a proof of y; (ii) 
that each formula assumed in the proof of vy is of the form Ow for some formula w. 

This is an almost direct translation of the necessitation rule, unfortunately the 
resulting system is non normalizing. In order to recover the normalization property 
Prawitz devise a new CO introduction rule (the third version). 

The third formulation the 0 introduction rule is a complicated elaboration of 
the first formulation, condition (ii) is relaxed so to require that a formula of the 
form Ow is present on each path of the proof leading from the assumptions to the 
conclusion. 

This rule is clearly non-local (requires conditions on the structure of the whole 
proof, rather than on the immediate premises of the rule). Non local rules are in 
general difficult to handle, and proof techniques (rewriting) used to prove properties 
of natural deduction systems usually fail with non-local rules. 

More important, the resulting system lies quite far from the intentions of natural 
deduction. The inference rules of the system hardly constitute the “meaning” of 
modal operators and the process of proving modal formulas remains quite unnatural. 

Other works after that of Prawitz addressed the problem of formulating natural 
deduction systems for modal logic (at best of our knowledge there are not works 
dealing with natural deduction systems for temporal logic). 

In [Mas96] A. Masini propose natural deduction systems for positive fragments 
of several modal logics (K, KT, K4, $4). His systems introduce the notion of level of 
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formulas so to accomodate a more flexible treatement of assumptions. In the result- 
ing formalisms the modal rules mimic quite closely the quantifier rules of predicate 
logic. 

In [PW95] Pfenning and Wong present a proof system for (the intuitionistic 
fragment of) modal logic $4. The theoretical properties of the resulting calculus are 
investigated and some hint to the applications of the calculus are given (notably for 
staged computation and binding time analysis). 

In [Sim94], A. Simpson introduce a family of labelled natural deduction systems 
for a broad class of (intuitionistic) modal logics. The main aim of the work of 
Simpson is that of studying intuitionistic modal logic, no great attention is paid in 
his work to classical modal logic. 

In [Vig97] and successively in [BMV97a] D. Basic, S. Matthews and L. Vigano 
study the application of Labelled Deductive Systems [Gab97] to modal logics. They 
study a methodology to obtain natural deduction systems for a broad class of modal 
logics. Also they show a “modular” proof of correcteness for the whole class of system 
they introduce. 

The systems of Simpson and Basin will be described in some detail in 2.2.3. 

In this thesis, starting from ideas found in the works quoted above, we aim to the 
definition of systems of natural deduction (or better, “natural” systems) for temporal 
logics. In particular, we exploit the idea of labelled system to obtain inference rules 
for temporal operators that are close to the standard rules of quantifiers in predicate 
logics. 

We advocate the validity of the approach by considering a number of different 
temporal logics and establishing basic proof theoretical results for the proposed 
systems. In particular, following the methodology of Prawitz, we will study the 
normalization property and its several consequences. 

We advocate the significance of the approach considering applications of the 
developed proof systems. Starting from one of the investigated proof systems, we 
devise a term calculus with application to the area of staged evaluation. Also we 
show how the proposed logical systems can be encoded in logical framework in order 
to obtain proof checker for temporal logics. 

The thesis, then, is roughly divided in two parts. 

In Chapter 2 we give a brief and rigorous introduction to the main topics we will 
touch in the thesis, namely natural deduction and temporal logics. 

In Chapter 3 we start considering a simple variant of temporal logic, that we call 
here Small Temporal Logic. Respect to other temporal logics, small temporal logic 
has the peculiarity of not needing an inductive rule, this turns out to give a rather 
simple proof system. We give a proof system in natural deduction style and discuss 
the various choices leading to such system. 

In Chapter 4 we study the properties of the proof system for Small Temporal 
Logic. Two different versions are considered, an intuitionistic version and a classical 
version. Normalization is proved both for the intuitionistic version and the classical 
version, moreover several properties of intuitionistic predicate logic are also proved 


for Small Temporal Logic, remarkably disjunction property and existential property. 

In Chapter 5 we show how the proof system for Small Temporal Logic can be 
extended in order to obtain a proof systems for linear temporal logic, some other 
variant of linear temporal logic is also considered. For each of these logics the 
introduction of an induction rule in the proof system will be required. We will show 
that such addition spoils the normalization property of the proof system. 

In order to recover some of the properties of normalizing systems for the proof 
systems for temporal logics, in Chapter 6 we define a new class of proof systems 
based on a rule with infinite premises (w rule). We study the properties of these 
proof systems and how they relate with the systems based on the inductive rule. 
A consequence of the properties of the system based on the w-rule will be the 
consistency of the systems based on the inductive rule. 

In Chapter 7 we study an application of intuitionistic Small Temporal Logic 
to staged evaluation. First we define temporal A-calculus (an extension of simply 
typed A-calculus whose type system is based on Small Temporal Logic) and study its 
properties. Then we define a reduction strategy that is shown to be meaningful with 
respect to staged evaluation and estabilish correctness properties for this reduction 
strategy. Finally we introduce a simple programming language based on temporal 
A-calculus. 

In Chapter 8 we briefly cover the aspect of proving temporal formulas. In partic- 
ular we show how the proof systems defined in this thesis can be faithfully encoded 
in logical frameworks. We consider the dependently typed A-calculus and show 
how, using standard methodologies, we can define isomorphisms among the set of 
temporal proofs and given subsets of A-terms. 
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Chapter 2 


Basic Notions and Notations 


In this chapter we briefly review some basic notions that we will repeatedly use in 
the sequel. This in no way makes this work self-contained but should anyway be 
sufficient for the acquainted reader to fix notations. The quoted bibliography will 
provide further information for each single discussed topic. 


2.1 Natural Deduction 


In this section we quickly recall the most important notions for natural deduction 
systems. For simplicity we consider natural deduction systems for propositional 
logic; as common in this context, we will take formula —y as a short-end for py — L. 
For more information on the subject consider |[Pra65, Gir87, Tak87, TS96]. 

Systems of natural deduction have been proposed by Gentzen as “natural” for- 
malization of the process carried out by a mathematician when writing rigorous 
proofs. 

A key property of systems of natural deduction is the possibility to work “under 
assumptions”, in order to prove y — w one can assume the truth of y and prove 
(under such an assumption) the truth of ~. When proving w the assumption y is 
active (or open) and can be used in the deduction process. Once the deduction of 
w is concluded, the assumption y may be discharged so as to obtain a deduction of 
y — wW that does not depend on the truth of y. Once the statement y — w has been 
proved and the assumption y has been discharged, y becomes a closed assumption 
and cannot be used again in the deduction process. 


Assumptions and formula occurrences When dealing with natural deduction 
we must be careful to distinguish among formulas and assumptions occurring in de- 
ductions. Assumptions used in deductions are formula occurrences, so that different 
assumptions in a deduction can have the same shape (i.e. the same formula) but 
they are nevertheless distinct objects. 
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A rigorous formalization would require labelling each assumption in order to 
distinguish it from other assumptions of the same shape. For our purpose in this 
section we prefer to avoid such labelling and rely on the position in which the 
assumption occurs within deductions to distinguish among different occurrences of 
formulas of the same shape. 


Deductions. A deduction of a formula y under a set of assumption occurrences 
I (or simply a deduction of y from [) is a tree-like structure depicted as 


ie 


ca 


whose leaves TI’ are the open assumptions of the deduction and whose root vy is the 
conclusion of the deduction. 

The set of deductions of a natural deduction system is inductively defined by 
means of a set of logical rules. Instead of describing a general format for logical 
rules, we prefer to consider a concrete example. 


Definition 2.1.1 (ND system for classical propositional logic) 


Qi WV. Y 
PV Ge Ve) ; ( 


The axiom rule (Az) is the only rule without premises. It states that for each 
formula y, the single node labelled y is a deduction, namely the trivial deduction. 
This deduction has y as conclusion and the singleton {yp} as set of open assumptions. 

A rule (p) with ¥1,...,W, as premises and y as conclusion permits the formation 
of a deduction with conclusion y starting from deductions for ~,...,W,. For in- 
stance, if 7, 72 are deductions with conclusions v1, y2 and open assumptions I), [2 
respectively, by rule (Az) we also have that 


Ty [2 
| m. | 
es 


pi pe 


is a deduction with conclusion y, A yz and open assumptions I; UT9. 
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For most rules, the set of open assumptions is the union of the sets of open 
assumptions of the premises. Some rule instead permits to discharge a subset of the 
assumptions from its premises, this is depicted using square brackets on the premise 
of the rule. For instance consider a deduction 7 of y with open assumptions UA, 
moreover assume that all the assumptions in A are of shape w. Then, using (—-7z), 
we can build a new derivation with conclusion ~ — y and open assumptions I. 
The (possibly empty) set A is the set of assumption discharged by rule (—z). Such 
discharge operation is usually depicted bracketing the assumptions in A 


[Ay Tr 
| 7 


pop CD 

Numbers labelling rule occurrences and assumptions (as in the previous example) 
are sometimes used to record the binding among closed assumptions and rules that 
discharged such assumptions. 

Given a set of formulas T and a formula vy, a system of natural deduction S is 
said to prove that y is a consequence of T if exists a deduction a in S such that 7 
concludes with y and have open assumptions whose shapes are in I’. 

In this case one says that 7 is a deduction in S of y from I, or, if TP is empty, 
that 7 is a proof of y. The natural deduction system S defines indeed a consequence 
relation (Fs) over the set of formulas, A Fg if exists in S a deduction of y from T° 
with [ C A. The subscript S is omitted when the system is clear from the context. 

Obviously the consequence relation resulting from the proof system should coin- 
cide with the semantic entailment relation (F) of the logic. A proof system is said 
sound when IF y implies vy is a logical consequence of T. Conversely it is said 
complete if ! - wy whenever y is a logical consequence of I. 


A sequent presentation. It is possible to give another presentation of natural 
deduction systems that makes more explicit the set of open assumptions of a deduc- 
tion. In this alternative presentation, each deduction concludes with a pair (I, y). 
The first component of such pair is a set of formulas representing (a superset of) the 
open assumptions of the deduction, the second component is a formula representing 
the conclusion of the deduction. The whole pair is called sequent and is usually 
written TF y. We will rely on the context to distinguish among the sequent as a 
pair and the assertion that in some fixed system formula y is a consequence of I. 

Finally, commas appearing in sequents are interpreted as unions, so that T, pF w 
is interpreted as TU {py} wv. 

It is easy to convince oneself that starting from the system in 2.1.1 and making 
explicit the set of open assumptions in each rule we can mechanically derive the 
rules in Definition 2.1.2. 
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Definition 2.1.2 (Sequent style ND system for propositional logic) 


Trkyoyp Try 


Pwre 
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Some observation about logical rules. In natural deduction systems, each 
logical rule, except the axiom rule, is related to a logical connective and can be 
classified either as an introduction rules or as an elimination rules. 

A generic rule (p) with premises ¥1,...w, and conclusion y is an introduction 
rule for connective @ if y is obtained by v1,...,W, using @ as main connective. The 
premises ~1,...,W, can be seen as “minimal” conditions necessary to conclude y. 

Conversely a generic rule (p) with y @w among its premises and y as conclusion 
is an elimination rule for connective 6. The conclusion of elimination rules can be 
seen as the “maximal” information that can be restored from the premises. The 
premise of the rule containing the eliminated connective is said the main premise of 
the rule. 

Since proofs in natural deduction systems have a single conclusion, each elim- 
ination rule must conclude with exactly a formula. When a connective naturally 
eliminates as a set of formulas (this is for instance the case of disjunction) elimina- 
tion rules take a slightly different form. Instead of allowing to conclude with formulas 
derived from the main premise, they discharge such formulas from assumptions in 
other premises of the deduction (see for instance (Ve)); such rules are called improper 
rules. 

In a natural deduction system each connective has one or more introduction rules 
and one or more elimination rules. If the system is well behaved (in a sense that will 
be clear later) each elimination rule is dual to the corresponding introduction rule. 
This duality is manifest in the observation that each introduction/elimination pair 
does not change the content of the deduction. For instance 7, and 72 below can be 
considered essentially equal in that they concludes with the same formula starting 
from the same set of formulas (i.e. they prove T, AF y). 


Rule pairs for which such a duality holds are said to satisfy the inversion principle. 
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Normal Deductions. If one is interested in the logical content of deductions, 7 
and 72 above can be safely considered equivalent. In the same way such equivalence 
can be extended to the whole set of deductions of propositional logics by means of 
equations of which 7, = 7 is an instance. 

For example, in the same spirit we would like to equate deductions 


r fy AD 
| AL | = 
= | Tr wp 
woe Dena! JF 
p & ~ 
and x i 
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Leaving out the complex details, all we need to know is that the set of deductions 
can be endowed with an equivalence relation that equate any deductions differing 
only for the presence of introduction/elimination pairs. 

It is then natural to seek a canonical form for the whole set of equivalent deduc- 
tions. Going back to 7, and 7, considering that they conclude with y, the former 
contains a useless detour. A good candidate to represent the whole class of deduc- 
tions equivalent to 7 is the deduction that do not contain detour. Such a deduction 
is said a normal deduction. 

Several interesting properties can be usually established for normal deductions. 
For instance normal deduction in the system of natural deduction for propositional 
logic enjoy the following. 


Proposition 2.1.3 (Subformula property) Jf 7 is a normal proof of y, then 
each formula w occurring in yp ts a subformula of yp. 


In virtue of the previous considerations, it is interesting to know if each deduction 
in a given natural deduction system is equivalent to some normal deduction. In this 
case we would have, for instance, that each provable formula y would admit a 
proof (the normal proof) constituted only of subformula of 7. A system in which 
each deduction is equivalent to a normal deduction is said (weakly) normalizing. A 
natural deduction system is said strongly normalizing if exists an effective procedure 
that, given any deduction, computes an equivalent normal deduction. 


Proposition 2.1.4 The system of propositional logic is normalizing. 


The normalization procedure for a strongly normalizing natural deduction system 
is usually given as a set of rewrite rules over deductions. Proving strong normal- 
ization then is tantamount to proving that the reduction relation induced by the 
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rewrite rules admit no infinitely increasing chains (for details about normalization 
in classical logic see [Pra65, Sta91]). 
In propositional logic we have, for instance, the following reduction rule. 


ri A 
| 7 A is 
foe iw 

a Vise : i 


Theorem 2.1.5 (Strong normalization for ND system Prop) The system of 
natural deduction for propositional calculus is strongly normalizing, i.e. for each 
deduction m it does not exists an infinite reduction sequence T = 1) >™D--:-. 


Once the strong normalization has been proved, the reduction process becomes 
interesting by itself as a computational process. 


2.1.1 Computational interpretation. 


In order to talk about computation we need to introduce a formalism in which 
computations can be described, the intention being that of relating such formalism 
to natural deduction. We will now introduce A-calculus (see [Bar91]), a formalism 
particularly convenient for the description of computations. 


Definition 2.1.6 (Untyped )-calculus) Given a set of variables V, the abstract 
syntax of the terms of the X calculus (briefly \-terms) is defined by the following 
grammar: 


t= x | (Ac-t) | (tt) 


where we used x to range over V and t to range over the set of A-terms. 
Given a A term t, the set FV(t) of free variables in t is defined inductively by 
the following equations: 


FV(r)={2}  FV(Ar-t) =FV(t)\{2} FV (tite) = FV(t)) UF V(t) 


Variables occurring in terms that are not free are said bound variables, a term 
without free variables is said closed. Two terms differing only for the choice of 
bound variables are said a-equivalent. a-equivalent terms are considered equal (to 
be precise, terms are defined as equivalent classes with respect to a-equivalence). 

Given terms t,u and a variable x, the substitution of u for x in t is defined by 
induction ont as 


a{u/e} = y{u/a} 
(Ace fuel: So Aad (Ay.t){u/ar} 
(tite){u/a} = ti{u/a}tetu/x} 


wherex,yEVandx fy. 


y 
Ay.t{u/x} 


2.1. NATURAL DEDUCTION 13 


Computations in A-calculus are represented as a process of rewriting by substi- 
tution. Roughly, if we interpret Ax.t as the function associating term t to variable 
x and (Az.t)u as the application of term u to such a function, it is natural to see 
t{u/x} as the result of such application. Such a process of rewriting is formalized 
by a reduction relation within terms whereas the notion of result is formalized by 
normal forms. 


Definition 2.1.7 (G-reduction) (6 reduction (here denoted by >) is the minimal 
relation over the set of A-terms containing 


(Az.t)u & t{u/x} 
and closed respect the following compatibility conditions: 


teu ty > i to > bi 
Ax.t & Ax.u tit > tite tit > t,t 


We denote with >* the reflexive and transitive closure of >. A A-term t is in 
normal form 7f it does not exists a A-term u such that t > u. A A-term t is said to 
have normal form if exists u in normal form such that t &* wu. 


One of the important properties that a computational system should guarantee 
is that the evaluation of a given term does not give rise to different results. In 
particular, since reduction in \ is non deterministic, (there is no prescribed order on 
reductions) one needs to prove that no two different normal forms can be obtained 
from the same term. 

The following well-known property is sufficient to show each A-term has at most 
one normal form. 


Proposition 2.1.8 (Church-Rosser Property) Given \-terms t,t, and ty 
Ift >* t, and t &* ts exists u such that t) >* u and tz D* u. 


Within calculus we can then define a class of terms to represent natural num- 
bers and functions. Functions that admit a representation within A-calculus are said 
A-definable. Finally, the following theorem gives the expressive power of A-calculus. 


Theorem 2.1.9 All general recursive functions are -definable. 


We come back now at natural deduction systems, but, instead of considering 
classical logic, we take a weaker logic (the reason for this choice will be made clear 
later). We consider the fragment of intuitionistic propositional logic without L. 

The most rewarding (at least from this perspective) semantic definition we can 
give of intuitionistic logic is due to Heyting (a discussion on Heyting Semantics, can 
be found in [Gir89]). The Heyting’s idea is that the semantics of a intuitionistic 
propositional formula y is nothing but the set of its “proofs”, where a proof of: 
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an atomic formula is a process that is assumed to be given; 
a conjunction p \ w is a pair of proofs, one for y and one for w; 


a disjunction p V Ww is either a proof of A plus the information that vy is the proved 
sentence, or a proof of w plus the information that w is the proved sentence; 


an implication p — w is a function that maps each proof of y to a proof of w. 


It is now easy to notice that the definition of deduction in Definition 2.1.1 ful- 
fills the Heyting’s definition of proof. The only mismatch is in the rule for L, we 
easily obtain a natural deduction proof system for propositional intuitionistic logic 
substituting rule (L¢,) with the following: 


| 
= (1s) 


From the provability point of view it is clear that intuitionistic logic is strictly 
weaker than classical logic. Consider for instance the excluded middle principle 
(y V -=y). According to Heyting’s semantics, a proof of y V —y requires either a 
proof of y or a proof of ay, that is not true in general; hence, in intuitionistic logic, 
the excluded middle principle is no longer valid. 

On the other side, from a computational point of view, the natural deduction 
system for classical logic does not enjoy the Church-Rosser property so that the 
same proof can be reduced to different normal forms. 

By a change of perspective, we read again the Heyting’s definition as the specifi- 
cation of a typed calculus. The semantics of a type y is the set of terms inhabiting 
type y, where a term whose type is: 


an atomic type is some datum from a set associated to such a type; 
the product py \w is a pair of terms, one of type y and one of type wv; 


the disjoint sum pV w is either a term of type y tagged with 0, or a term of type 
w tagged with 1; 


the function type p — W is a term that when applied to a term of type y results in 
a term of type w. 


It is now matter of choosing a concrete syntax and formalizing the clauses above 
as term formation rules to obtain the definition of a typed language. For simplicity 
we will consider here only the calculus arising from the implicative fragment of the 
logic (for a more general presentation see [Gir89, Hin97, TS96]). 


2.2. MODAL AND TEMPORAL LOGICS 15 


Definition 2.1.10 (Simply typed A-calculus (A~)) Given a set of basic types 
To, the set of types T of the simply typed A-calculus is described by the following 
abstract syntax: 
T:=aly-yw 

where a ranges over Ty and ~,w range over T. 

Let V be a given set of variables. 

A variable declaration is a pair x:y withx € V andy € T. A typing environ- 
ment (or typing context) T is a set of variable declaration. 

A X-term t has type yp under typing context T if exists a derivation of [ F t:y 
built with the following rules: 


Low Pip TKtwpop Teue 
V2 @ Fai Tk Az.t:~ > y Tt tu: 
A X-termt for which exists a contert T and a type y such that Ft: ts said to 


admit type in X~. The set of \~-terms is defined as the set of A-terms that admit 
a type in A~. 


The following property make it possible to inherit G-reduction within A~. 
Proposition 2.1.11 (Subject Reduction) For each \-terms t and u 
Trtyandtpu = Truy 


Comparing the natural deduction system for intuitionistic propositional logic 
and the definition of simply typed A-calculus it is immediately seen a strong corre- 
spondence among the two. 

Such correspondence can be made mathematically quite precise. It can be shown 
that it is an isomorphism (the Curry-Howard isomorphism) between: 


intuitionistic logic and simply typed A-calculus 


... formulas and ...types 
... deductions and ...terms 
... normalization and ...computation 


For a description of Curry-Howard isomorphism see also [Gir89, Bar92]. 


2.2 Modal and Temporal Logics 


Modal and temporal logics appears in many different contexts of computer science 
(for a list of applications see [GHR94]). The distinctive tract of modal logics is the 
notion of possibility and necessity. The true/false approach used in classical logics 
is here substituted by notions of possibly true and necessarily true. Such notions 
are expressed within the logic by means of modal operators (or quantifiers). For a 
comprehensive discussion of modal logics see [Che90, HC84]. 
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Definition 2.2.1 (The language of modal logics) Given a set of atomic for- 
mulas £L, the abstract syntax of modal formulas is defined as follows: 


Form::= Lla|(yv¥)|(eAv) le ¥) | (Cy) ly) 


where a ranges over L and y,w range over modal formulas. 0 and > are said the 
necessity and possibility modal operators respectively. 


Modal logics are interpreted within rich mathematical structures, known as 
Kripke Structures, where the truth value of formulas depends on the world in which 
formulas are evaluated. Necessity and possibility become quantifiers on this set of 
worlds, a formula is necessary true at a world w if it is true in each world deemed 
possible from w. Conversely a formula is possibly true in a world w if exists a world 
deemed possible from w in which the formula is evaluated true. The notion of pos- 
sible world (or reachable world) is formalized by mean of a relation of reachability 
in this world structure. 


Definition 2.2.2 (Kripke Frames and Structures) A Kripke frame (or modal 
frame or simply frame) is a pair (W,R) where: 


e W is a non empty set; 
e R is a binary relation on W; 


when F refers to a modal frame we will also write Fy and Fr for its first and 
second component respectively. 

Given a set of atomic formulas L, a Kripke structure (or modal structure) on L 
is a triple (W,R, p) where: 


e (W,R) is a Kripke frame; 
e p is a function from W to the power-set of L, p: W — 2°. 


If M is a modal structure, we will write My, Mr and M, to denote its compo- 
nents. 

One usually refers to the elements of W as the worlds of the structure, R is called 
the reachability relation (or accessibility relation) and p is called truth assignment. 


The evaluation of modal formulas is defined with respect to a Kripke structure 
and a world of the structure. The interpretation of propositional connectives will 
coincide with their interpretation in propositional logic, the interpretation of modal 
quantifiers will depend on the reachability relation of the structure. 
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Definition 2.2.3 Given a modal formula py, a modal frame M = (W,R, p) and a 
world w € W define the satisfaction relation F by induction as follow: 


M,wFra <= a€ p(w), for eachaEeL 

MrwFEpAvwy <= M,wF eg andM,wFw 

MrwFEyVy <= MiwEygorM,wEwy (2.2.1) 
MwEypow — Miwk gy or M,wEy mal 
M,wF Uy <> VWw' eW ifw Rw’ then M,w' Fp 

M,wFEOy <=> dw’ €W such thatw Rw’ and M,w' F yp 


Relation F is then extended to structures and frames as follow: 


MEyp = M,wF ¢ for each world w € My 
FEyp <> F,p*¢g for each truth assignment p: Fy — 2° 


In case ME » (FE yy) one says that M (F) is a model of vy. 
Finally, a modal formula vy is said valid if F — y for each modal frame F. 


Observe that the two modal operators O and © are dual each other, i.e. more 
precisely MF Oy if and only if MF 7~O7-7 9. 

Since the definition of satisfaction is parametric both in a structure and in a 
world, one can define two different consequence relations considering truth for whole 
structures or truth for each world of the structure. 


Definition 2.2.4 (Consequence Relations) Global consequence relation F, is a 
relation among set of modal formulas defined by: 


TE,g = VM (VWeM,cEl) = WeM,ckF y¢) 
Local consequence relation, F 7s a relation among set of formulas defined by 


TEp = VMVs (M,cFT = M,rF ¢) 


Other notions of validity result considering restricted class of frames. 


2.2.1 Hilbert systems. 


Traditionally proof systems for Modal logics are formulated as Hilbert systems; we 
will start here considering normal modal logic K. 


Definition 2.2.5 (Modal Logic Kk) Modal Logic K is the logic defined by the fol- 
lowing axiom schemata: 


PO) any instance of propositional tautologies; 


Axiom K) O(y - wv) ~Oy- ow 
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and by modus ponens and necessitation inference rules: 
MP) ify andy — vy then y; 
NEC) if y then Oy. 


As usual we will use the notation - y to indicate that formula yp is provable in 
the system. 


A definition of the modal entailment relation is beyond the purposes of this 
introduction, for a complete exposition see [vB83}. 

The Hilbert system for modal logic K fully characterize modal validity defined 
in Definition 2.2.3, i.e. F y if and only if F y. 

The name modal logics gives a broad classification distinguishing among classical 
logics and logics of modalities, many different modal logics results by restricting the 
class of frames of interest. Many interesting set of frames can be classified according 
to the properties of the accessibility relation. The semantics definition restricted to 
such classes of frames give rise to different modal logics. An interesting topic rise by 
the study of reachability relation properties that have a characterize at the syntactic 
level. For instance it is well known that, if we add formula Oy — y to the set of 
axioms of kK, we obtain a logic containing all and only the formulas valid in frames 
with reflexive reachability relation. 


Definition 2.2.6 Consider a formula P on the first order language with binary 
symbols R and =. Then we say that a modal formula yp defines property P if 


{FIFE y}={F|F EP} 


where in the second set, F is seen as a first order structure and F 1s first-order truth 
relation. 


For a through introduction to Correspondence theory (the study of frame prop- 
erties definable in modal logic) see [van84]. 

Modal logics obtained by the addition of axiom to the Hilbert system for K are 
usually named by their Lemmon Code. The Lemmon code is a string of the form 
KC,...Chn; letters C,...C;, come from a set of standard letters each one denoting a 
different axiom. The most widely used letters, together with the first order property 
they define, are summarized in Table 2.1. For instance modal logic whose frames 
have accessibility relation that is reflexive and transitive has Lemmon code KT4. 

Some logic also have an historical name, notably we recall $4 that stands for 
KT4 and $5 that stands for KT5. 
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Frame property 


Symmetric Vw, w’.w Rw’ implies w’ R w 
Seriality Vuw.dw'.w Rw’ 
Reflexivity Vw.w Rw 


Transitivity Vu, w'’,w”.w Rw’ and w’ Rw" 

implies w’ R w” 

Euclidean VYu,w’,w".w Rw’ and w Rw” 
implies w’ R w” 


Table 2.1: Lemmon codes and frame properties 


2.2.2 Temporal Logics. 


Temporal logics naturally arise from modal logics when the accessibility relation is 
used to model the flow of time (as observed in the seminal work [Pnu77]). Temporal 
logics have applications in several fields in computer science (see for instance [Pnu77, 
Pnu97, Eme90, Sti92]), in particular they are used in the specification of systems 
whose behavior can be described by a sequence of events. Properties of interest 
in these systems are notions like always happens, happens in the next time and 
eventually happens. 

Like modal logics, temporal logics are interpreted on Kripke frames. Several 
temporal logics have been defined in literature (for a comprehensive accounting see 
[GHR94]), differing both in the choice of modalities and the choice of properties 
satisfied by frames. Here we are interested in particular in a discrete time linear 
temporal logic. 


Definition 2.2.7 (The language of temporal logics.) 
Given a set of atomic formulas L the abstract syntax of discrete time linear temporal 
logic formulas (or linear temporal logic, for short) is defined as follow: 


Form ::= LlalyVvv|pAv|yorv|o¢yl|oy|o¢y 


where a ranges over L and y,w range over the set of formulas. Formulas Oy, Dy 
and > are usually read next y, always y and eventually y. 


Modal operators © and O are used to express respectively immediate future 
(next time relative to current time) and remote future (any time past current time). 
The two modal operators are described at the semantics level by using two different 
accessibility relations, one for O and its reflexive transitive closure for O. 


Definition 2.2.8 (Semantics.) A Kripke frame (W, R) is a linear temporal frame 
(or simply a temporal frame) if R is a linear total relation on W, i.e. 


for each w € W exists a unique w’ € W such that w Rw! 
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A linear temporal structure (or simply temporal structure) is a triple (W,R, p) 
such that: 


e (W,R) is a linear temporal frame; 
e pis a truth assignment. 


Given a formula vy, a temporal structure M = (W,R, p) and a world w € W we 
define the satisfaction relation extending equation 2.2.1 with the following clauses: 


MrwFOp <= Wu’ EW ifwRu’ then M,w'F yp 
M,wFOp = Wu’ EW ifwR*w’M,u'F (22,2) 
M,wFOop = Ju’ © W such that w R* w' and M,w' Ey 


where R* is the reflexive, transitive closure of R. 


The pair of operators 0 and © are indeed one dual of the other, i.e. M —- Oy 
if and only if MF 4~o-y. By definition of R*, the accessibility relation for 0 is 
reflexive and transitive, so that 0 satisfies axioms T and 4, i.e. for each structure 
M,MFOy-yvandMFoOy-OOy. Summarizing, this fragment of the logic 
behaves as S4. 

The next time operator O, instead, is auto-dual, ie. M F Oy if and only if 
M F- =0O-y. Moreover by the assumption that R is total we also have that O 
satisfies axiom D, i.e. for each M, MF Oy - 707-7. 

Moreover the two pairs of modal quantifiers are related by the fact that the 
accessibility relation for © is contained in the accessibility relation for O. For each 
structure M, we have MF Oy > Oy. 

It is more common to define linear temporal structures as w sequences of subset 
of £ (see for instance [Sti92]); it is however easy to see the two formulations are 
equivalent. We chose this formulation in order to keep as the definition of semantics 
for modal and temporal logic as close as possible. 


Axiomatization. Here we briefly define linear temporal logic via an Hilbert ax- 
iomatization. 


Definition 2.2.9 Linear temporal logic is defined by the following axiom schemata: 
PO) any instance of propositional tautologies; 

T1) Ov >) ~O¢>0o74; 

T2) O(e > 4) = OY > OF; 

T3) (O7~ > FO y)A(709 > 07%); 


T4) Oy > pAODY; 
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TS) Oy > Ov) ~~ > OY 
and the following inference rules: 
MP) ify andy — y then y; 
NEC,) ify then Oy. 


NEC,) ify then Oy; 


As usual we will use the notation - » to indicate that formula y is provable in 
the system. 


Observe that axioms T1 corresponds to axiom K on the O fragment of the logic, 
and axiom T2 corresponds to axiom K on the © fragment of the logic. Axiom 
T3 is used to impose linearity on the structure. Axiom T5 is also knows as the 
induction axiom and is used to capture the fact that the accessibility relation for 
modal operator O is contained in the reflexive, transitive closure of the accessibility 
relation for ©. Conversely, axiom T4 imposes the reflexivity and transitivity of 
modal operator 0 


2.2.3. ND Systems for modal logics 


Here we briefly sketch two approaches that has been undertaken in the representation 
of modal logics within natural deduction systems. Both approaches are related to 
Labelled Deductive Systems (see [Gab97]) and give rise to similar systems for modal 
logic K. 


Simpson approach. The system we are going to describe is due to A. Simpson 
and is presented in [Sim94]. 

The main focus of Simpson’s work is on intuitionism within modal logics, and 
the natural deduction system he proposes is aimed to study the proof theory of 
intuitionistic modal logics. The aim is foundational, quoting from [Sim94]: “we 
want to provide a natural deduction system for intuitionistic modal logic in which the 
standard possible world meanings of modalities can be read off from their inference 
rules”. Nevertheless, the technique developed for this purpose can also be used to 
develop natural deduction systems for classical modal logics. 

The basic idea is that if the possible world meaning has to be made explicit in 
logical rules, the worlds itself should explicit appear in rules. A logical judgment of 
his system take the form p: y and is interpreted as formula y holds at world p. Here 
p is a world variable (simply a symbol used in the proof system) not to be confused 
with points of Kripke structures; world variable are interpreted as generic worlds of 
generic structures. 

We start by considering the semantics definition of modal logic kK. Once we fix 
a world, the semantics of propositional connectives coincide with the semantics of 
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propositional logic and we can use the rules of Definition 2.1.1 simply relativizing 
formulas respect world variable; for instance the rules for conjunction become 


PD: P1__P: P2 PD Pi ND: Ye 
Dp: 1 A p2 (Az) D: Pi (Ae) 


From the clause for modal connective 0, we have that the truth of Oy can be 
established at a generic world p, if the truth of y can be established at any other 
other world q reachable from p. Conversely if 0 y is proved true at world p, and q 
is any world reachable from p then we also have that q is true at world gq. 

From this informal description it is clear that we need another judgment to 
express the fact that the world denoted by some variable, say q, is accessible from 
the world denoted by some other variable, say g. Using notation p R q to express 
accessibility of g from p, the equations for modal operators in Definition 2.2.3 can 
be syntactically rephrased in the form of natural deduction rules as follow: 


: R :O 
pied (O7)2@ ee Pee (de) 


The fact that we need to prove qg: y in any possible world q reachable from p to 
conclude Oy in order to concluded p: 0 y is expressed in (Oz) by the eigenvariable 
condition on gq. We write E'(q) to denote that g must be a fresh variable not occurring 
neither in the conclusion (i.e. such that g 4 q) nor in the open assumptions. 

Similar considerations lead to the formulation of the rules for the introduction 
and the elimination of ©. 


Definition 2.2.10 (Natural deduction system for intuitionistic Kk) 


pda] [p: be] 
mp4) Foe) pee) YB ee pee PiV ee PoP Pov (yy 
oe [p i q| 
D: es go) ae a er nos (Or)? zie fee (Ce) 
aise 
are ian (Az) Pp ei Nee (Az) paid YP (07) Pp ae 5 Po: ¥ (O~) 2 
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Other modal logics can be obtained enriching the previous system with rules to 
deal with relational judgments. Simpson study the class of modal logics that are 
first-order definable by mean of a geometrical theory, moreover he gives a method 
to derive rules from a (logical) description of a geometric theory. For sake of exem- 
plification we only show here some representative rule. 


si ai a 
: Do: DAE GHRT. pe: 
Tero (Rp)P Tere (Rr) Po: 2 a (Ra) 


The rules shown above are the natural deduction equivalent of axioms D, T 
and 4 respectively. Some observation is in order about the choice for the format of 
relational rules. 

Like logical rules also relational rules may introduce fresh variables, this is the 
case, for instance, of (Rp). Each relational rule is given as an indirect rule with ex- 
actly one logical judgment as main premise and some number of relational judgment 
as minor premises. The conclusion of a relational rule is always a logical judgment. 
Finally each relational rule discharge one or more relational assumption. 

In this way Simpson relegate the relational judgment to the role of side condi- 
tions for the applicability of the rules; since relational judgments are not part of the 
logic one would indeed expect that no rule of the system concludes with a relational 
judgment. Moreover, in this way, there is never the need of defining a logic of rela- 
tional judgments, since no relational judgment appear as conclusion of a deduction, 
there is no need to define what results from the application of a logical rule to a 
relational judgment. 

In the following judgments of the form p R q will also be called relational formulas 
and judgment of the form p: y will be called also labelled formulas or logical formulas 
when we want to distinguish them from relational formulas. 


Basin—Vigano approach. The system described here is due to Basin and and 
Viganod and has been studied in [BMV98b, BMV98a, BMV97a, BMV97b, Vig97, 
BMV96b, BMV96a]. 

Their work exploits Labelled deductive systems so to obtain a modular natural 
deduction system to represent a large class of modal logics. In the setting they define, 
a natural deduction system for a given logic is obtained by plugging a (specific) 
proof system for a relational theory (here called relational proof system) within 
a (parametric) natural deduction system for modal logics (here called logic proof 
system). The interface among the two proof systems is described by means of a 
labelling algebra. The relational proof system deals with relational judgment of the 
formt Rt’ where t and ¢’ are term of the labelling algebra. The logical proof systems 
deals with judgments of the form t:y where the label ¢ is a term of the labelling 
algebra and yg is a logical formulas. Relational judgment appear also as premises of 
the rules of the logical proof system. 
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Following [BMV97a] we describe a (parametric) natural deduction system com- 
posed of a base system for modal logic K and a class of systems for Horn theories 
defining different modal logics. 

The base system for logic K is composed of the same rule of the system of 
Simpson except for (L¢). Logics defined by these systems are classical hence the 
rule for |-elimination is the following: 


The other important difference among the two sets of rules is in the nature of the 
labels. In Simpson’s work labels are simply variables whereas in this system labels 
are terms of some algebra that will be specific to the relational theory considered. 

The proof system for the relational theory is obtained from a Horn theory by 
translating each Horn formula to a rule of the proof system. The translation is quite 
straightforward and we will not describe it in details. What matters for our purpose 
is that the resulting rules take the form 


i Rt ++ t, Rt, 
pony, 


where to,...,t, and t,...,¢), are terms (with variables) of the labelling algebra. 
For instance the rules below correspond to axioms T',4 and D respectively. 


(Ra) ee (Ap) 


eRe CHz eR i) 


Rule corresponding to axiom D clearly explain the need of considering terms 
and not simply variables. To assert that a generic world is reachable from a world 
variable x, we need to conclude with a judgment of the form x Rt for some term t. 
Now if we chose to a variable for t, since relational deductions and logical deductions 
are separate objects, we cannot impose any global condition on such a variable. In 
particular we cannot impose that such a variable does not appear in some assumption 
of the deduction. 


Chapter 3 


Small Temporal Logic 


In this chapter we will introduce small temporal logic (or, for short, STL), a logic 
with two modal connectives obtained by a semantic simplification of linear temporal 
logic. 

Two different reasons lead us to consider STL. First, the intuitionistic fragment 
of STL give rise to an interesting calculus related to staged evaluation whose property 
will be exploited in Chapter 7. Second the proof system for this logic will constitute 
the basis of the proof system that will be developed for linear temporal logic. 


3.1 Language and Semantics 


Definition 3.1.1 (Language of Small Temporal Logic (STL)) 
Given a set of propositional variables L, the language of small temporal logic 1s 
defined by: 


Form::= Lla|pAy|yvyly—yv|Oy|oy|uy 


where we used a to range over L and p,w to range over formulas. 
We will also use =p as a shorthand for p — L and y = w as a shorthand for 


(pov)A(by¥). 


The language of small temporal logic is the same of linear temporal logic, the 
difference is purely semantical and is introduced in order to simplify the proof sys- 
tem. More precisely, what we want to leave out is the induction axiom. In order to 
do this we interpret formulas over frames with two distinct relations, one used as 
accessibility relation for 0 and one used as accessibility relation for O. 


Definition 3.1.2 (Birelational Frames and Structures) 
A birelational frame M is a triple (W,R, R’) where: 


e (W,R) and (W,R’) are Kripke frames; 
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e R is a linear total relation on W; 
e R’ is reflexive and transitive; 
e the reflexive and transitive closure of R is included in R’. 


Given a set of propositional variables L, a birelational structure over L is a 
quadruple (W,R, R’, p) such that (W,R, R’) is a birelational frame and p: W — 2£ 
is a truth assignment. 


Definition 3.1.3 Given a small temporal logic formula y, a birelational structure 
M = (W,R,R’,p) and an element w of W, define the satisfaction relation (F) 
inductively on y as follow: 


M,wEa <> a€ p(w), for each atomic formula a 
MrwEypAaw <= M,wE¢g andM,wEw 

MrwFEyVvy <= M,wEy orM,wEw 

MrwFEypowy — Miwkoy orM,wEw (S20) 
M,wF Oy <— Ww’ EW ifwRuw’ then M,w'E 

M,wF Oy <> Vu' EW ifw Rw’ then M,w' Fy 

M,wF oy <=> dw’ €W such that M,w' F yp 


We say that the structure M is a model of p (MF wy) if for each w € W holds 
M,wF y. 
The usual definition of satisfiable and valid formula follow accordingly. 


Truth assignment p can also be seen as a function p: L — 2”, we will indifferently 
use one or the other representation when this leads to a simpler exposition. 


Observation 3.1.4 Temporal frames can be identified with the subset of birelational 
frames for which the accessibility relation R’ is the reflexive and transitive closure 
of the accessibility relation R. 

For each temporal frame F = (W,R) exists a birelational frame F' such that for 
each temporal formula py, F F » if and only if F' & y. 

Indeed, denote with R* the reflexive transitive closure of relation R and take F' = 
(W,R, R*), by definition of = for temporal and birelational frames, we immediately 
have the statement. 

As a corollary we have that formulas that are valid in small temporal logic are 
also valid in temporal logic. 


To see that small temporal logic validity and temporal logic validity do not 
coincide consider formula yp = a — O(a — Oa) > Oa. We have that ¢ is valid 
in temporal logic, since it is the instance of the induction axiom schema, but it is 
not valid in small temporal logic. To see this consider the birelational structure 
M = (W,R, R’, p) with 


Wettig to R={(i,itl|0<i<wtw} 
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Ri ={(i,j)|0<i<j<wtw} aepli) Si<w 


It is easily seen that M is a counter-model for y. 


3.2 Axiomatization 


A complete axiomatization for STL can easily be obtained by combining the axioms 
that define the properties of the two accessibility relations. 


Definition 3.2.1 (Small temporal logic axiomatization) 
Small temporal logic is axiomatized by the following axiom schemata: 


PO) any instance of propositional tautologies; 


T1) y-¥)-O09-Q4; 


T2) Og -¥) ~ Oy O74; 


T3) (O7-y > 709) A(AO0¢ > O-7¥); 


T4) Op > py A00g; 


T5) Oy—> O0g; 


and the following inference rules: 


MP) ify andy — vy then y; 


NEC,) ify then Oy; 


NEC.) if ¢ then Oy. 


Observe that the set of axioms is obtained from the axiomatization of linear 
temporal logic by dropping the induction axiom. Indeed axioms T4 and T5 are 
derivable from the axiomatization of linear temporal logic, but the induction axiom 
is not derivable in the axiomatization of STL. 


Proposition 3.2.2 (Soundness) Jf is provable in the Hilbert system of Defini- 
tion 3.2.1 then F yp. 


Proof. Simply observe that each axiom is valid and that rules MP and Nec pre- 
serve validity. oO 


The completeness of the axiomatization follows from a general result of corre- 
spondence theory based on [Lem77]. Here we will briefly sketch the argument, for 
more details see [Sti92, van84]. 
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Proposition 3.2.3 (Completeness) Jf y is a valid small temporal logic formula, 
there exists a proof of p in the Hilbert system of Definition 3.2.1. 


Proof. The proof follows a standard Henkin argument (see |[HC84] for details). 
Instead of proving F py = >F vy we prove ap => F -y, ie. that for each 
consistent formula y exists M and w such that M,w F y. 

Given such a formula y, by a standard construction, we can obtain a tuple 
M = (W,R, R’, p) (called the canonical model of STL) such that: 


e (W,R, p) is a Kripke structure; 

e (W,R’, p) is a Kripke structure; 

e M,wFE y, for some w € W; 

e M satisfies any instance of axioms T3, T4 and T5. 


Finally, by correspondence theory, we have 


e MF T3 implies F is linear and total; 
e ME T4 implies R’ is reflexive and transitive; 
e ME T5 implies if R C R’. 


ic. M is a birelational model of y. Oo 


3.3. Labelled formulas 


In the following we will use judgments in the style of Simpson and Vigano systems. 
Given a set of world variables V, we have two different kinds of judgments: logical 
judgments and relational judgments. 

We will call logical judgments (or labelled formulas) pairs composed of a world 
variable and a formula; such judgments will be written as p:y. When it will be 
clear from the context that Tis a set of formulas, we will denote with p:T the set 
of labelled formulas {p: y | y € T}. 

We will call relational judgment, or relational formulas, triples composed of two 
world variables and a relational symbol among R, R’ and =. Relational judgments 
will be written using infix notation for the relational symbol. We will use the term 
judgment to denote either relational or logical judgments. 

Be careful not to confuse relational symbols with the accessibility relations of 
structures. To avoid confusion we will reserve the calligraphic letters R and R’ for 
accessibility relations and will use the roman letters R, R’ for relational symbols. 

Intuitively labelled formulas express the truth of formulas when interpreted re- 
spect to a given point of the structure. Relational judgments express relations among 
worlds to which world variables refer. To make these notions precise, we now define 
an evaluation relation for logical and relational judgments. 
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Definition 3.3.1 Assume given a set of world variables V and a birelational frame 
M = (W,R,R’, p). We define a modal environment as a function 0: V > W. 
Given a modal environment oa, the evaluation relation extends to labelled formulas 
as follow: 
MroFpyp = Mo(p)Ey 


In the same way, we extend the evaluation relation to relational judgments: 


TI 


M,oF pRq = oa(p)Ro(q) 
M,oF pRq = a(p)R'o(q) 
M,oF p=q = a(p)=o(q) 


TI 


Finally, we extend the definition of consequence relation to judgments as follow, 
given a set G of judgments and a labelled formula p: p, we take: 


—-Fpyp = VMVo (M,oFT = M,coF p:y) 


We will write olp > w| for the modal environment that agrees with a on V \ {p} 
and maps p to w. 


Observation 3.3.2 From the definition it is immediately seen that the evaluation 
for labelled formulas give rise to the same notion of validity defined for unlabelled 
formulas. 
More formally, given a labelled formula p:y and a birelational structure M = 
(WR, Rp), 
YweEewM,wEy — Vo M,cFEp:y 


In the following we will need sequents of judgments. We will write G; TF p: y for 
the sequent with set of relational premises G, set of logical premises [ and conclusion 
Dp: Y. 

We will use 7 to range over relational and logical judgment. We will sometimes 
need to replace occurrences of world variables within judgment. If 7 is a judgment 
and p,q are world variables we will denote with 7{q/p} the judgment obtained by 
substituting in 7 each occurrence of p with q. 


3.4 Natural deduction system NK-STL 


We now give a proof system in natural deduction style for the simple logic above. 
We choose to follow the Simpson’s approach since we want to keep the system as 
simple as possible and then we prefer to avoid the introduction of an algebra of 
terms. 

For sake of completeness we list also the propositional rules even if they coincide 
with those in Simpson (except for | elimination rule) and Vigano systems. 
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Propositional Rules. 


mre [p: | 
| 

gt pp PvNnp pw D: Pi 

po (tee) mae D:D (—¢) mares o. 
Ip: di] [p: pe] 

pin ve boy Po? (yp) PPL PP? (Ay) PPL APE (AQ) 


Modal Rules. 


gi 

gy poe pR¢q pR'q ay 

pow (Or) ge Ce) “pop a) 
[p RF’ alla: ¢] [p R’ ql 


Recall that we use superscript '(q) on rule names to denote the fact that q has 
to be a “fresh” variable for the rule being applicable. So in rules (Og), (©¢) and (Gz) 
the world variable g can occur neither in the conclusion nor in any open assumption 
of the premises. 

Observe that, assuming linearity of R, connective O becomes autodual, i.e. 
30a = ©O-a and so © behaves both as a universal quantifier and an existential 
quantifier. Hence also the following formulation would do: 


ane 
pO” rio 


Or’) ri 


(Og) FO 


Relational Rules. The system defined up to now, is essentially modal logic K in 
which we have two pair of dual modalities. In order to obtain a complete axiomati- 
zation with respect to birelational frames we have to add rules encoding properties 
of the accessibility relations. 


3.4. NATURAL DEDUCTION SYSTEM NK-STL 31 


[p j P| a ; Ps [p i q 
GP 7 Pi=P2 P3 = p2 i ae Po: E 
ae =) TP (=) pore (Ro) 


[pi = pe] [J {p1/Po}] 


{@Rpijien2 py Pi=P2 Puy Pi=po J ry 
5 (Rr) ep (=) a? 4 (8) 


Some observations about the relational rules are in order. Rules (=) are used 
to characterize the equality relation as an equivalence relation that behaves as a 
congruence with respect to judgments. Rule (R;) characterize linearity and permit 
to conclude q, = q2 from assumptions p R q, and p R qg. Rule (Rp) is the analogous 
of axiom D for accessibility relation R, whereas rules (R4,) and (R/,) correspond to 
axiom T and 4 respectively. Finally rule (2%) is used to characterize the relationship 
among accessibility relations R and FR’. 

It is interesting to note that relational rules are mutually orthogonal. In partic- 
ular dropping rules (R;,) and (=) we obtain a system for frames with a branching 
structure. The resulting system remains distant from branching temporal logics, 
since it lacks a notion of path. It can be nevertheless interesting as a starting point 
for a simple logic with branching semantics. 


Remark 3.4.1 As observed before, modal operator O behaves both as an existen- 
tial and as a universal quantifier. Even if we chose the universal formulation, the 
system gives also the existential one, i.e. rules (Oz) and (Og) are derivable in the 
system as shown by the following deductions: 


[pRq] p:O 
la=q @:y [pRq : 7 = £ (Oe) 
ped ee | 
aS (Oz)? = (Rp)2 


Conversely rules (Oz) and (Og) can be derived in a system with (Oz) and (Og) 
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using the following derivations: 


lgq=r] [rg 
cae [Ip R ql (Or) pRq p Re] : q:P = a: 
BO? (Rp) = ROP EP (a, 2 


Intuitionistic small temporal logic. In the following we will also consider the 
proof system obtained from NK-STL substituting rule (L¢.) with rule (Le). This 
new system will be called here NJ-STL, and we will refer to the logic generated by 
NJ-STL as the intuitionistic small temporal logic. 

There is not yet agreement on what should be intuitionistic modal logics in 
general and we will not be concerned in our work with intuitionistic semantics. 

Some evidence about the fact that NJ-STL make sense as intuitionistic counter- 
part of NK-STL is given by the fact that NJ-STL satisfy the following properties 
(see [Sim94]): 


e NJ-STL is conservative over intuitionistic propositional logic; 
e the addition of excluded middle (y V ay) yields NK-STL; 

e disjunction property holds for NJ-STL (see 4.3.7); 

e modal quantifiers are independent in NJ-STL (see 4.3.11). 


There are other reasons that lead us to consider this proof system. First, NJ-STL 
deductions is a relevant subset of NK-STL deductions, and for this restricted subset 
there are some properties that do not hold in general. Second, NJ-STL may be of 
some interest when trying to recover a computational content from small temporal 
logic. 


3.4.1 Relational Entailment 


Following the Simpson approach we avoided rules that do not conclude with a logical 
formula. In particular, relational rules that one would expect to have the shape 
of introduction rules (for instance (R4,)) have a rather peculiar form and discharge 
assumptions instead of introducing new formulas. If we formulated the system using 
sequents we would see that relational rules are always left introductions and we do 
not have right introduction. 

This asymmetry slightly complicates matters when we come to reasoning about 
the relational part of a deduction. If we consider the relational rules that do not 
involve fresh variables (i.e. all but rule (p)) we can give an equivalent formulation 
using an approach a la Vigano. This means defining an entailment relation among 
logical judgment and a proof system characterizing such relation. 
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Definition 3.4.2 


pR'p  pRq par 
pRq pRr p=q J p=q r=q 
Cat T{a/p} =) a 


Given a set of relational judgments G and a relational judgment J, we will write 
Gi ZT if exists a deduction of J with assumptions in G. 


Trivially each of the rules above correspond to a relational rule of our proof 
system and conversely each rule of our proof system correspond to one of the rules 
above (except for rule (Rp)). Moreover, logical rules of NK-STL system together 
with the rules above immediately define a natural deduction system a la Vigano. 
With some work one could show that such system corresponds exactly to the (Rp)- 
free fragment of NK-STL. 

We are not interested here in this alternative formulation of NK-STL. Instead, 
we find convenient to describe relational parts of NK-STL deductions in terms of 
relational entailment. 


Definition 3.4.3 Let 7 be an NK-STL deduction and J,J' occurrences of rela- 
tional judgment in wT. 

We say that J immediately depends J' if J is discharged by a rule that has J' 
among its premises. 

We say that J depends on J' if exists a sequence Jo,..., In such that Jo = 
I,In= J" and for eachi J; immediately depends on Fj+1. 


Observe that the dependency relation among formula occurrences in deductions 
is well founded, so it can be used as measure in inductive arguments. Indeed if 7 
depends on 7’, 7’ must be used as premise for some rule appearing below 7, hence 
it cannot also appear above some rule that has 7 as premise. 


Proposition 3.4.4 Let G and J be relational formulas such thatGt J. Then for 
each T and p:p, if exists a NK-STL (NJ-STL) deduction of G,7;1 + p:y there 
exists also a NK-STL (NJ-STL) deduction of G;T ' p:y. 


Proof. Let 7 be the deduction of G, 7; | p:y and a’ the deduction of [+ J. 
Proceeding by induction on z’ we build a deduction of G;I'F p: y as follow. 
If x’ is the trivial deduction, 7 € G and 7 is also a deduction of G;T'F p: y. 
Else 7’ concludes with some rule (p) with premises 7} and m5 of GF J andGt GF 
respectively. Applying to 7 the relational rule corresponding to (p) we immediately 
obtain a new deduction 7, of G,.A%, J2;0 - p:y. The inductive hypothesis for 7} 
and 74 yields also a deduction of G;TF p: y. oO 
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Proposition 3.4.5 Let a be a deduction of G;I. — p:y, and J a relational judg- 

ment occurring (possibly not open) in x. Moreover, let G’ be the set of relational 

assumptions discharged by rules (¢), (Gz), (Or) and (Rp) that occur in m below J. 
Then G,G'b+ J. 


Proof. Proceed by induction using as measure the size of the set of judgments 7 
depends on. 


e if J is open, J €G; if J is discharged by a logical rule or by rule (Rp), then 
J €G’. In any case trivially G,G’ + J; 


e if 7 is discharged by a relational rule (p) with premises %,..., Jn, by induc- 
tion hypothesis we have G,G’- J,...G,G' - In. 


Now observe that we have in the relational proof system a rule corresponding 
to (p) from which 7,...,7%, 4 J so that we can conclude G,G’ J. oO 


Having defined a proof system for relational judgments allow us to state some 
simple facts about the structure of such proofs. In particular it is interesting the 
case in which the conclusion of the proof is of shape p R’ q, in this case we can 
rebuild the sequence of world variables witnessing p R’ q. 


Proposition 3.4.6 Let G be a set of relational judgments and p,q world variables. 
IfGt&pRqorGtp Raq, there exist two sequences 89,...,5n and €9,...,€n of 
world variables such that: 


eGrep=pandGlts, =4q; 


e for eachi<n, Gi 5; = &; 
e for eachi <n, either s; Reis, €G ors; R’ e414 €G. 
Proof. We proceed by induction on a deduction of GF J: 


e if J is obtained by application of the reflexivity rule we take n = 0 and the 
trivial sequences p and q; 


e if 7 is obtained by an application of the R’ introduction rule with premise 
p Rq, we apply the induction hypothesis to obtain the sequences; 


e if J is obtained by an application of the equality rule with premise 7’ = 
J{p'/p} (F' = F{d/a}) we apply the induction to 7’ to obtain a new pair of 
sequences Sg,..., 5, and €g9,...,@,. Since one of the premises of the equality 
rule must be p = p’ (q = 7) and by transitivity of equality, the sequences 
S0,--+;5n and €,...,€, satisfy the requirements; 
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e if J =p R' q is obtained by application of a transitivity rule with premises 
p Rr andr R’ q, the induction hypothesis give us two pair of sequences: 
Sie Spa Shen He 
Peery. “=e. e) 
Now, since by transitivity of equality sj = e},, the new pair of sequences 
80) +++) Sp_1) S90 +++) Sy and €5,...,€,,S1,---, 5, Satisfy the requirements. OO 


Now transposing the previous fact on NK-STL and NJ-STL, we have: 


Corollary 3.4.7 Let 7 a deduction of G;T - po:p and J a relational judgment 
of shape p R' q occurring not open in +. Moreover, let G’ the set of relational 
assumptions discharged by rules (¢), (Oz), (Or) and (Rp) that occur in m below J. 

Then there exists two sequences of world variables s9,...5n and €9,...,€n satis- 
fying the following: 


e GG Pe=p and G,G'F 8, = q; 
e for eachi<n, G,G'F 5; =e; 


e for eachi <n, one of the two judgments s; R e;,, and s; R’ s;,, belongs to 


GUG’. 


Proof. By Proposition 3.4.5 there exists a deduction of G,G’ + p R’ q and applying 
proposition Proposition 3.4.6 we immediately have the result. oO 


Definition 3.4.8 Let 7,G, p R’ q as in the proposition above and let s0,...,8n, 
€9,---,€n the two sequences whose existence is stated by the proposition. We will 
say that p R’ q is of finite length if for eachi <n 8; R e€j41 € G. In this case we 
will also say the the judgment p R' q is of length n. 


Finally we consider how renaming of world variables affect NK-STL (NJ-STL) 
deductions. 

Given any function f: V > Y trivially we can extends f to labelled formulas and 
relational formulas as follow: 


f(pRq) = f(p) R fq) fe Ra) =f Rf@ 
f(p=q@ = flip) =f@ f(p: 9) = flp):¢ 


Consequently f naturally extends also to logical and relational contexts, via : 
fie eUl)={fw ye) pUFL)  FATEYG) Ht) YU FG). 


The following statement permit to extend f also to NK-STL (NJ-STL) deduc- 
tions. 
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Proposition 3.4.9 Let f a function on the set of world variables V, then: 
GPF pp => £9); fT) F f@):¢. 


Moreover the deduction of f(G); f(T) - f(p):y is obtained by renaming world 
variables occurring in the deduction of G;TF p: y. 


Proof. Proceeding by induction on a derivation 7 of G;[’F p: y, build a derivation 
of f(G); f(T) & f(p): v. Here we consider only the case 


where 7’ is a deduction of G,p Rq;T F q:y. 

Let r a world variable different from f(p) and occurring neither in f(G) nor in 
f(D) and let g = f|q+- 1] the function that agrees with f on V \ {q} and maps gq to 
r. By inductive hypothesis, exists a deduction 1’ of g(G), g(p R q);g(T) § g(a: ¢), 
and, by the choice of r, applying rule (Oz) on z’ we obtain also a deduction 7 of 
g(G);g(L) F g(p: Oy). Again, by the choice of r and g, 7 is also a deduction of 


f(G); Ff) F fp): Og. Oo 


Corollary 3.4.10 Jf G;T - p:y and p does occur neither in G nor in T, then 
G;l ' q¢:y for any world variable q. 


Proof. Simply apply Proposition 3.4.9 using function f: V — V such that f(p) = q 
and f(x) = for any other x € V. Oo 


Observe that, if f is not injective, the sets of assumptions f([) and f(G) can 
be smaller than [I and G, consider for instance T = {p:y,q:y} and f such that 


f(p) = f@ =P. 
3.5 Soundness and Completeness 


In this section we will prove the soundness and completeness of NK-STL. First we 
recall the standard notion of sound rule and adapt it to our system. 


Definition 3.5.1 Let (p) a natural deduction rule that, given deductions of Gy; Ty + 
Pi Piy-+-yGni Tn - Pn: Yn, builds a deduction of G;F p:y. Rule (p) is said sound 
if, for each birelational structure M from: 


Vo M,oFG, andM,oFT, = M,oF pi: 41 


M,oF G,, and M,o ET, => M,c7F Dn: Yn 
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follows: 
Vo M,oFGandM,oFT = M,oF py. 
Proposition 3.5.2 (Soundness) 
CTrpyp => TEpy 


for each set of labelled formulas 1 and for each labelled formula p: vy. 


Proof. It is sufficient to show that each rule in NK-STL is sound. We prove as an 
example that rule (Oz) is sound. 

So we consider a birelational frame M = (W,R, R’, p) and a modal environment 
ao such that M,o FT. We now have to prove that, assuming 


Vo’ M,o’FpR'qandM,o' FT = M,o'F ¢@:¢, 


we also have M,o F p: Oy. 

Let w and w’ elements of W such that o(p) = w and w R’ w’, then take 
o =ol¢qr w’'|. Clearly M,o' — p R’ q and, from the side condition on q, also 
M,o' FI. Hence, applying the hypothesis, M, 0’ F q: y. 

Summarizing, for each w’ such that o(p) R’ w’ we have M,w’ F y, but this 
means M,oF p: Oy. i 


The proof of completeness can be given deriving each axiom of the Hilbert system 
and showing that each inference rule is eliminable. 


Lemma 3.5.3 Ift p:y then- p:Oy and- p:Oy 


Proof. If 7 is a proof of p:y and q is a world variable not occurring in 7, using 
Corollary 3.4.10, 


EP GP 
are proofs of p:O y and p: 0 » respectively. Oo 


Lemma 3.5.4 Each axiom of the Hilbert system is derivable in NK-STL. 


Proof. We only give as example a derivation of axiom Kr 


pRqd [pov yl PRq [pogl 
ge 2) eae, 
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Proposition 3.5.5 (Completeness) 
Trepp => Trpey 


for each set of labelled formulas 1 and for each labelled formula p: vy. 


Proof. Follows immediately from the completeness of the Hilbert system and from 
lemmata 3.5.3 and 3.5.4. Oo 


3.6 A natural deduction system without equality 
for STL 


In this section we want to describe a variant of the natural deduction system for 
small temporal that does not use judgments for equality. 
Consider the following introduction/elimination rules for O: 


pRq @¢ 
p.OY 


pRq p:Ov 


(Or’) q: (Og) 


Using rule (Oz-) together with (Rp) we can derive the linearity axiom: 


IPpRq) (a9 
[p: 709] p:Oy (Or) 
ae (—¢) 
Ip Rl gp \ "tr 
Ee 7 ey (Or’) 
Dp: O79 


Whereas using rule (Og) and again rule (Rp) we obtain a proof of axiom D: 


LEI ee (Os) Lee mB (Oe) 
pao en 
PaAOp es 
paAOY soe 
piO7yp > 709 


Clearly also axioms T2 and 74 can be proved using rules (Oz’) and (Og) with 
deductions that do not contain equality judgments. This suggest a simplification of 
the system defined above. 


Definition 3.6.1 The system NK-STL’ is obtained by system NK-STL by remov- 
ing rules (=) and (R,) and substituting rule (Or) with (Or). 


The resulting system is easily seen to be sound and complete with respect to 
birelational temporal frames. 
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Proposition 3.6.2 (Soundness) 
CTrpyp => TEpy 


for each set of labelled formulas 1 and for each labelled formula p: vy. 


Proof. Follow easily by the soundness of NK-STL and by the fact that (Oz-) is 
derivable in NK-STL. oO 


Proposition 3.6.3 (Completeness) 
TEFpy = TrFpy 


for each set of labelled formulas T and for each labelled formula p: vy. 


Proof. Easy by completeness of NK-STL and by the fact that (Oz) can be derived 
from (Oz) and (Rp). Oo 


Even if also NK-STL! give rise to a complete system, we immediately face a 
problem when trying to normalize, for instance, a proof of p R p,,p R po, pire & 
p2: py. Indeed it is easily seen that such a deduction would require the introduction 
of Oy. 

The problem arise from the relational contexts in which two distinct world vari- 
ables (here p; and p) are successors of a same relational variable (here p). 

With the following definition we want to make precise the set of deductions 
giving rise to the problem sketched above. Then we show that we can avoid such 
complications imposing a mild restriction on the set of relational contexts. 


Definition 3.6.4 A set of relational assumptions G will be said linear if 
e G does not contain the equality symbol; 
e do not exist world variables p,q, and qo such that p Rq, and p R qo. 


Consider a deduction of G; + p:p concluding with an application of (Rp). Such 
an application of rule (Rp) will be said linear if the assumption discharged by such 
a rule, sayq Rq', is such that for no q’ qRq! €G. 

A deduction nm of G;F p:y will be said linear if G 1s linear and each application 
of (Rp) within m is linear. 


Clearly, given a linear deduction 7, each subdeduction x’ of 7 have a linear set 
of open assumption. 


Proposition 3.6.5 Given a linear G, if G; - p: there exists a linear deduction 
of GPF pz. 
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Proof. By induction on the deduction of G,I - p:y removing each non linear 
occurrence of (Rp). 

The only non trivial case to consider is the case that the deduction concludes with 
a non-linear application of (Rp). Then we have a deduction 7 of G,q Rq";l FE p:y 
with q Rq’ € G. Consider now the function f on VY that is the identity of V \ {q’} 
and maps q” to q/’. 

By Proposition 3.4.9 we also have a deduction a’ of f(G), f(q R q@’); f(T) - 
f(p):y, but, from the side conditions on (Rp), this is a deduction of G;TF p:y. 
Now, 7’ is of the same size of 7 so the statement follows by inductive hypothesis. 

O 


As a consequence of the previous proposition we obtain a complete proof system 
also if we restrict (Rp) to linear applications only. It could be shown that the 
resulting system is normalizing. 


Chapter 4 


Small temporal logic 
Normalization 


In this chapter we study the properties related to normalization within the systems 
NK-STL and NJ-STL. The emphasis is on weak normalization and properties of 
normal deductions. 


4.1 Reduction Rules 


4.1.1 Relational Reductions 


The relational rules will not take a fundamental part in reduction, we can consider 
them as indirect rules that do not discharge logical judgments. We can easily see 
that each relational rule commute with the other rules following the schema 


rf [7] 

as as 

Si: aces pW (p) py Tate p (r) 
pw ap (ir) ss A Jn nae 


where (R) is a relational rule, (r) is an elimination rule with main premise p: y 
and J is the judgment discharged by the relational rule. To see that the reduction 
given above make sense it is sufficient to observe that no elimination rule discharges 
assumptions on its main premise, so in this case 4,--- JZ, cannot be discharged by 
(a) 
The only exception to the pattern above is given by the equality rules for which 
we have the following permutative reductions: 
Pi =P2 PP (=) 
Pi = p2 Pega (es pip Pie 
Papp pop Pi = po pip 
: en > 
pol 


p2 


—<¢) 
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Pi=p2 Pr:Oy 2 [pi R | PSs 


p20” p2Rq Pi=P2 poh¢q gp 
: re (Or) & (=) 
[p2 R'r|[r: ¢] 
[p2 R'r|[r: ¢] | 7 
Pi=P2 Pi:Oy es | 7 Pi=po [pi Rr] GP S&S 
p2: © ge PLOY EYP 
a > pee ae (0) 
Pius Pa SP: (5 pi Rg pi: ® (O¢) 
po R' gq ea ) > Pi=P2 poR'g 2 ) 
gD . GP 7 


4.1.2 Logical Reductions 


The proper reduction rules are given by the proper reduction rules of propositional 
logic plus the following: 


Ip Rr| 
|= e 
rip i pirg 
pog (02) pRa (Ox) | ={a/r} 
Tr: Dp . gp 
a! Ip R'r][r: 9] | 2’ 
pRa 14) | pRaq ay 
pO” 2 Po (0 BO) | *{a/r} 
po: W Z Po: Y 
[p R'r] 
|= 
; rig rao) oR qd 
pRYq pov (4% | *{a/r} 
EP e a? 


where, in the resulting deductions, some further renaming of variables bound by 
(Or), (Og), (O¢) and (Rp) may be needed (see for a detailed explanation [TvD88]). 
Finally we have the permutative reductions for V and ©: 


[p R’ f [r: y] [p R' f [r: | 
TT TT 
poy gp E(r) Sie aa giv 
GG, Pog wo vm 
go: Wo (p) . go: Vo (Ce) 
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Ip: yi] [p: pal 
TY | 1) 
ppivVen, Gv ay 
Gisosiga aw ) (Ve) 
go: Vo 
Ip: ¢1] [p: 2] 
TT | TT 
D: 1 V Ye qo: Wo e go: Wo (Vv 
SS SSS ee 
go: Wo 


where (p) is any elimination rule. 
We now amend the standard definitions of path, segment and thread to deal with 
this augmented set of rules. For the original definitions see [Pra65]. 


Definition 4.1.1 Given a deduction 7, a sequence JQi,...In of logical judgment 
occurrences int is a thread if J, is a leaf ina, J; stand above Jj+1 for each i and 
Jn is the conclusion of wT. 

Given a thread Ji,...ITn in 7, a subsequence J;,...JSisp 1s a segment if: 


e J; is not consequence of an indirect rule; 


e Ji+; is the minor premise of an indirect logical rule or premise of a relational 
rule, for each j < k; 


e Ji. 1s not the minor premise of an indirect logical rule or premise of a rela- 
tional rule. 


A segment f,,...,Sy 18 @ maximum segment when J, is conclusion of an in- 
troduction rule and J, is the major premise of an elimination rule. 


Observe that judgments J;,...Ji:, in segments have shape pj: y,...,Di+K: Y 
where for some h,k it may be pp # pz, and this happens in case (=) occurs in 
the segment. 


Definition 4.1.2 Given a deduction 7, a sequence Qi,...TIn of logical judgment 
occurrences in a deduction 7 is a path if 


e J, 1s a leaf that is not discharged by the application of an indirect rule; 
e for eachi <n, J; is: 


— either premise of a relational or an introduction rule and Jj, is the 
conclusion of such rule; 


— or the major premise of an indirect rule discharging Ji+1; 
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— or a premise of a direct eimination rule concluding with Fj+1. 


e J, is either the minor premise of a (—<¢), or the major premise of an indirect 
rule that does not discharge any assumption or the conclusion of 7. 


Observe that each judgment occurring in some deduction 7 occurs in some path 
in 7. 

Finally we define a notion of rank on deductions to be used as inductive measure 
in the normalization proofs. 


Definition 4.1.3 The size of a formula yp (written |p|) is the number of connectives 
occurring in py. Accordingly, the size of a judgment is defined as the size of its 
formula and the size of a segment as the size of any of its judgments (recall that 
judgments occurring in the same segment are always of the same shape). 

The length of a segment o (written lh(c)) is the number of judgments occurring 
ino. 

The cut rank of a deduction 7 (written cr(m)) is defined as a pair (n,¢) where: 


nm = max{|o|:o is a maximum segment in 7} 


e 


S {Ih(o) :0 is a mazimum segment ina with |o| =n} 


where the maximum and the sum on the empty set are intended to be 0. 

Ranks will be considered ordered with the lexicographic order so that (1,4) < 
(no, C2) when ny < ng or ny = Ne and t; < ly. The bottom of this ordering ((0,0)) 
will also be written as 0. 

A deduction m is said normal if cr(7) = 0, 2.e. if it has no maximum segments. 


The following lemmata will be used in the normalization proofs both for the 
classical case and the intuitionistic case. 


Lemma 4.1.4 Let 7 be a deduction concluding with an elimination rule whose main 
premise is the conclusion of a maximum segment a. Assume moreover that for each 
maximum segment o' in x different from a, |o’| < |o|. Then, from 7 > x" follows 
eri) cra). 


Proof. Assume that o is of shape y and let o’ be a maximum segment occurring 
in 7’ but not in z. 

If x’ is obtained by relational reduction or a permutative reduction, then o’ must 
be a proper subsegment of o. 

If x’ is obtained by a logical reduction, then o’ must be of shape w where w is a 
subformula of yp. 

Hence, cr(z’) is (\y| ,lh(o) — 1) in the former case, and (|v, @), for some some 
w subformula of y and some £, in the latter case. Oo 
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Lemma 4.1.5 Let 7, and 7 be the following deductions 


| | 

PY PP 

_ |t | = 
us por W we por W 


and assume cr(71) = (n, €), er(7) = (n, €’) and |p| < n. Then, if er(a5) < er(7}), 
also cr(m2) < er(m1). 


Proof. Let cr(a}) = (n”, 2"). If n” =n it must be ” < @ and, since |y| < n, 
C= S {Ih(o) :¢o is a maximum segment in 72 with |o| =n} 


= S-{ih(o) :o is a maximum segment in 7 with |o| =n} +2" 


< S-{Ih(o) :o is a maximum segment in 7 with |o| =n}+l’ = 
If n” < n, either some segment in 7 is of size n, and cr(m2) = (n, 0—£’) < (n, @) or 


any segment in 7 is of size smaller than n. In the latter case, since also each segment 
in 72 is of size smaller than n and since |y| < n, we have again cr(m2) < (n,@).  O 


4.2 NK—STL Normalization 


Following [Pra65], in virtue of the equivalence © y = =0 79, we will consider the 
fragment of logic L, A, >, O, 0, so to “minimize the disturbing effect of (L¢.)”. 

Observe that in the natural deduction system for classical propositional logic, 
the only non trivial segments span throughout (Ve), so in the V-free fragment we 
never have segments of length greater than 1. Conversely, due to relational rules, in 
NK-STL,-.5, deductions we can have segments of any length. 

We start by showing that, without loss of generality, we can restrict (L¢,) so 
that it concludes with atomic formulas different from _L. 


Proposition 4.2.1 JfG;IT F p:y, there is a deduction of p:y from G;T in which 
the consequence of every application of (Le,) is a propositional variable. 


Proof. Consider a deduction a of G;[’ F p:y, and assume that some non atomic 
formula ~ occurs in the deduction as conclusion of (L¢,). Then q:~ will be the 
conclusion of some deduction 7” with shape 


a! 


= 


lq: 7 
| 


ry (Lee) 


ok 
gy 
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Now if 7 = Ou, or YW = Oy, we can rewrite 7” as follow: 


gov |g Rr] Odo) [Rr] 
= Wo (Oe) [r: ao] ido ( é) [r: ayo 
Te a (=) (3a) 
q a ‘ rere, 
nr | qr! 
tL 
aan A ee) a (ils) 
r: Wo rim \-&c 
g: Oo (Oz) g: Oo (Oz) 


In similar way, in case ~ is L or a formula with main connective — or A, we can 
rewrite 7” as described in {[Pra65]. 

In any case the size of formulas occurring as conclusion of (L¢,) is decreased. 
Then, to obtain a deduction in as in the thesis, we can repeatedly apply the proce- 
dure described above. oO 


Proposition 4.2.2 [fG;I + p: is derivable in the fragment L, A, >, 0,0, there 
exists a normal deduction of G;T' p: vy. 


Proof. The proof proceeds along the lines of the proof of Prawitz for the classical 
predicate logic. Let 7 be a deduction of G; IF p: y, in virtue of Proposition 4.2.1, we 
can assume without loss of generality that each occurrence of (L¢,) in 7 concludes 
with a propositional variable. Now we define a sequence 7,7 ,... of deductions 
where 71; is obtained from 7; as described below. 

If we assume cr(7;) = (n, 0) > 0, the set of maximum segment in 7; is not empty. 
In this case we can choose a deduction mj in 7; such that 7) concludes with an 
elimination rule (~) that has a maximum segment o of size (n,@) as major premise 
and such that any other segment occurring in 7} has size smaller than |o}. 

Let J be the last judgment occurring in o. Since we assumed that each appli- 
cation of (Le,) has atomic conclusion, ZY cannot be introduced via (L¢,), so the 
only possibility is that YZ is the conclusion of an indirect rule or a relational rule 
or an introduction rule. In any case apply to z/ one of the reductions defined in 
Section 4.1 to obtain a new deduction 7’. Observe that again in 7” each occurrence 
of (L¢,) concludes with a propositional variable. Finally take 74; as the deduction 
obtained by replacing a; with a!’ in 7. 

Obviously each 7; is a deduction of I - p:y, moreover from Lemma 4.1.4 we 
know cr(a/’) < er(7;) and from Lemma 4.1.5 we also know cr(7j41) < er(7;). Hence 
the sequence must terminate with a deduction 7, of rank 0. | 


The importance of normal proofs rests on the fact that normal deduction have 
a rigid structure. Properties of normal deduction are obtained by exploiting their 
structure. The following lemma establishes the structure of normal deductions. 


Lemma 4.2.3 Let 7 be a normal deduction and let @ = 041,...,0n a path in Tw. 
Then there is a segment o; (the minimum segment in 3) such that: 
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e each o; with j <i is major premise of an elimination rule and the formula in 
oj41 is a subformula of the formula occurring in oj; 


e either i =n or o; is premise of an introduction rule or a; is premise of (Le.); 


e cach oj withi < j <n is premise of an introduction rule and the formula 
occurring in o; 1s a subformula of the formula occurring 041. 


Proof. Since 7 is normal, no a; is a maximum segment so each elimination rule 
must precede each introduction rule along 3. Observe moreover that the only place 
in which (L¢,) may occur is below the minimum formula, else we should have an 
application of (L¢.) that does not conclude with a propositional variable. oO 


In normal deduction we can assign a natural number to each path of the deriva- 
tion called its order. 


Definition 4.2.4 Given a normal deduction 7 and a path @ in a, we will say that 
the order of (3 is 


e 0, if the last judgment of 3 is the conclusion of 7; 


e n+1, if the last judgment of 3 is the minor premise of a (—¢) rule whose 
major premise belongs to a path of order n. 


A path of order 0 will also be called main path. 


Observe that in normal deductions, no path concludes on the major premise of 
an indirect elimination rule, hence orders are defined for each path. 
The following are standard consequences of normalization. 


Corollary 4.2.5 (Consistency) The system NK-STL is consistent, i.e. it cannot 
prove L. 


Proof. Assuming by contradiction the existence of a proof of L, from Proposi- 
tion 4.2.2, we also have a normal proof 7 of . Consider the main path @ of 7, since 
there is no introduction rule for |, the introduction part of @ must be empty, but _L 
can neither be the conclusion of an elimination rule, since we have no assumptions 
to eliminate. Oo 


Corollary 4.2.6 (Subformula property) Given a normal deduction 7 of G;T 
p:y, each formula occurring in 7 is either a subformula of some formula in TU {yp} 
or a subformula of a formula discharged by an application of (Le¢.). 


Proof. This is immediate consequence of Lemma 4.2.3 for paths of order 0. As- 
suming the statement true for each formula occurring in paths of order n, we in 
particular have the statement true for formulas that are conclusion of paths of order 
n+ 1 (since subformula of some formula in a path of order n). Applying again 
Lemma 4.2.3, we obtain the statement for each formula belonging to paths of order 
wel, oO 
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Corollary 4.2.7 (Separation Theorem) The only rules applied in a normal de- 
duction of 1 F p:y are relational rules and logical rules for connectives occurring in 
formulas of T and gy. 


Proof. Follows immediately from Corollary 4.2.6. Oo 


4.3. NJ-STL Normalization 


We now study the normalization for the intuitionistic system NJ-STL. 


Proposition 4.3.1 JfG;F p:y there exists a normal deduction of G;TF p:y. 


Proof. As in the proof of normalization for NK-STL, we start with a deduction 7 
and build a sequence of deductions 7,7 ,... where each 7; is obtained from 7; 
by mean > reductions (in this case we will also need reductions for L,V and ©). 
Applying Lemma 4.1.4 and Lemma 4.1.5 we will have cr(m;) > cr(m41), hence 
the sequence must conclude with a normal deduction. Oo 


Lemma 4.3.2 Let 7 be a normal deduction and let @ = o1,...,0n a path in Tw. 
Then there is a segment o; (the minimum segment in 3) such that: 


e each o; with j <1 is major premise of an elimination rule and the formula in 
oj41 is a subformula of the formula occurring in oj; 


e either i =n or o; is premise of an introduction rule or o; is premise of (Le); 


e cach o; withn > j > 1 is premise of an introduction rule and the formula 
occurring in oj 1s a subformula of the formula occurring 041. 


Proof. Since 7 does not contain maximum segments. Oo 
Corollary 4.3.3 (Subformula property) Every formula occurring in a normal 
deduction of G;'- p:y is a subformula of some formula occurring in G;T U {p: vy}. 
Proof. Proceed by induction on order of paths applying Lemma 4.3.2. oO 
Corollary 4.3.4 (Separation Theorem) The only rules applied in a normal de- 


duction of G; Fp: are relational rules and logical rules for connectives occurring 
in formulas of T and wy. 


Proof. Consequence of the subformula property. o 


The properties in the rest of this section are specific of the intuitionistic version of 
the system (they have no counterpart in NK-STL). In order to state them precisely 
we will need the following definition. 
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Definition 4.3.5 The abstract syntax of Strictly positive contexts is defined by the 
following abstract syntax: 


P:= *|gAgt|ptAgleve’|ytvelyoe¢'|oyt log |a¢ 


where y and y* range over formulas and strictly positive contexts respectively. 
Given a strictly positive context p* and a formula y we denote with pty] the 
result of substituting yp for * within pt. 
We say that w 1s a strictly positive subformula of p when exists a strictly positive 
contezt pt such that pt ly] = y. 


Lemma 4.3.6 Let 7 be a normal deduction of G;'F p:y and 2 a main path in 7. 
Then, each formula occurring in the E-part of 3 is a strictly positive subformula of 
some formula inT. 


Proof. First observe that each leaf of 7 on a main path that is not discharged by 
an indirect elimination rule must belong to I. 
Then, for each wy’ on a main path, we have: 


e if y’ is the conclusion of a relational rule, then y” is also the logical premise of 
such rule; 


e ify’ is the conclusion of a direct elimination rule that has as main premise 7, 
then ~’ is a strictly positive subformula of 1; 


e if y” is discharged by an indirect elimination rule that has as main premise w, 
then y” is a strictly positive subformula of w. 


Corollary 4.3.7 (Disjunction Property) Let TI be such that no formula yp in T 
contains a strictly positive subformula with V as principal sign. 
Then, if G;l F p: 1 V Ye, there exists i € {1,2} such that G;T F p: y;. 


Proof. Consider a normal deduction 7 of G; [°F p:y1 V ye. By the assumption on 
the shape of formulas in I we know that no (Ve) may occur in 7 and so there is 
exactly one main path in 7. 

Consider the last segment o of this path. By Lemma 4.3.2, 0 must be either: 


e the conclusion of an elimination rule. But in this case, by Lemma 4.3.6, we 
also have that o is a strictly positive subformula of a formula in I’, against the 
assumptions; 


e the conclusion of (L¢). In this case we immediately have also a deduction of 
G;T't 1 and hence also a deduction of G; TF p: y;; 


e the conclusion of a (Vz) with premise p: y; for some 7. 
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In this last case 7 is of shape 


with () some set of relational rule. And, applying rules (p) to deduction z’, we 
obtain a deduction of y; 


O 


The following two lemmata state the analogous of the existential property in 
intuitionistic small temporal logic. Informally they say that if p: © is provable 
under a set of assumptions G; IT, there exists a witness world q in which y can be 
proved. 


Corollary 4.3.8 Given G;TV such that: 
e now int contains a strictly positive subformula with © or V as principal sign; 
e no relational formula in G contains R’. 


Then 
GTEpoOp = G;TF p:O"¢ for some n. 


Proof. Consider a normal deduction 7 of [ F p: Oy. By Lemma 4.3.6 and the 
assumption on the formulas occurring in I’, no (Ve) may occur in a main path of a. 
Hence 7 contains a single main path 3. Moreover, again by the assumption on [ 
and by 4.3.6, the last segment in 3 must be the conclusion of a (7). So 7 will be 
of the following form 


where (p) is some set of relational rules discharging the assumption [gq R’ r]. 
Now, apply Proposition 3.4.6 to find a pair of sequences qo,..-,@n; %,---,G, and 
proceed by induction on n. 


e for n = 0 we have that q and r are equal so that we can prove p: 9; 


e from gn_1 R dj, and qi, equal to r we immediately have a proof of qn_1: OY 
and applying the induction hypothesis, we also have a proof of q: O” y. oO 
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We can relax the hypothesis on the assumptions of the deduction to obtain a 
generalization of the previous statement. 


Corollary 4.3.9 (Existential property) Given G;I such that: 
e now inT contains a strictly positive subformula with © as principal sign; 
e no relational formula in G contains R’. 


Then, ifG;l Fp: oy, there exists a set of indexes {11,...,in} such that 
G:TEp:O"gV---Vpomy. 


Proof. We proceed by induction on the size of deductions of p:  y. 

Consider a normal deduction a of G;[T - p:Oy, and a main path @ of the 
deduction (we can have more then one path if there is some occurrence of (Ve) in 
rine 

Assume now that the last segment in (@ is not a premise of a (Vg) rule. By 4.3.6, 
@ must conclude with a (}-z) or arule (L¢). In any case the argument used to prove 
Corollary 4.3.8 carries over unchanged. 

Assume not the the last segment of @ is a premise of a (Vg) rule, then 7 must 
have the following structure: 


[rida] [r: po] 
| ™ | 72 | 73 
riwWVi2 Gop GO 


where (p) denotes a set of relational rules. Now, by adjoining rules R below 7, 72 
and 73 we obtain deductions 


@ 7 of G;T Er: a, V Wo, 
e am, of G;T,r:vi bk ¢g: Oy and 
em, of [ridgk gioy. 


Moreover, each one of these deductions, is of size strictly smaller than the size 
of 7 and neither 7; nor Wz contain a positive subformula with © as principal sign. 
So we can apply the induction hypothesis to 74 and 74 to obtain G;T,y1 + 
p:O' pV---VOy and G;T, 2b p:O pV ---V O%* wy. Hence, by or elimination 
using 73, we have PF p:O7 pV ---VO#*YVOXPV:++ VOY. Oo 


In the classical version of the system we can build a simple deduction showing 
©y = 70-y¥ so that both © and 0 are expressible in terms of its dual. In the 
intuitionistic fragment instead neither © nor O can be expressed in terms of other 
connectives. 
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Definition 4.3.10 A binary (unary) connective ® is said definable if, for each 
propositional variables ay, a2 (a) exists a formula ~ in which connective ® does not 
occur, such thatk p=a,@azg (- y= Ga). 

Conversely, @ is said independent 7f no such y exists. 


Proposition 4.3.11 Each connective and temporal quantifier is independent in the 
intuitionistic version of STL. 


Proof. We will treat only the cases of © and O, for the propositional connectives 
we refer to [Pra65]. 

Assume by contradiction that there exists a formula y in which does not occur 
connective © and such that Oa = y. Then there exists a proof of p: pF p: Oa, and 
by Corollary 4.3.9, we also have p:y + p:O" aV-+-Vp:O™a. 

Now, fromt p:p=Oaand p:yt p:O"aV-:--Vp: 0a, we have immediately 
p.Oatk p:O4 pV-+-Vp: Oa and applying Proposition 4.3.7, p: Oat p: O* a for 
some k. Moreover, since p R’ q;g:a  p:Oa and p R py,...,pe-1 R peep: o*ak 
Pe: a, we should also have a normal deduction for 


pR'q,pRpi,..-,Pr-1 R pr, gia pea 


that is impossible since we have no rule to apply, except for relational rules and we 
cannot prove p R’ q,p R po,...,Pr-1 R pet pe = Gq. 

Assume by contradiction that exists a formula y not containing O such that 
y = Oa. Then there must be a normal proof 7 of p R’ q;p:y + q:a@ and by 
Corollary 4.3.4 such a proof does not contain rules (Gz) and (Oe). 

Consider now a main path o1,...,@, in m7 and let q@: ¥1,---, Gn! Yn be the conclu- 
sions of 01,..., 0, respectively. By Lemma 4.3.2 0, can only be either the conclusion 
of a (L¢) or the conclusion of an elimination rule. In the first case we also have 
+ p:y — L contradicting y = Oa. Hence we know that each o; is the conclusion 
of an elimination rule. 

Now show that for each j, q;+1 and gq; must be the same world variable. First 
observe that we only derive gq = r if r is equal to q (the same variable) so that labelled 
formulas in segment o; are labelled with q; and in particular the first formula of 0; 
have label q;. 

Now let us consider the possible rules deriving o;,; from o;. In case oj+1 is 
conclusion of a propositional rule clearly q;+1 = q;. The case that o;41 is conclusion 
of (Og) can be excluded since we cannot derive the premise p’ R q. The only 
remaining case is that oj; is discharged by an application of (©¢) having as premise 
o;, but also this is impossible due to the side condition in (O¢). So we know that 
the first formula of 0; is labelled on world variable g. But this contradict the fact 
that the only open assumption of 7 is p: y. Oo 


Chapter 5 


Temporal Logics 


We now study a proof system obtained from NK-STL by the addition of an induction 
rule on worlds. We prove the soundness and completeness of the proof system respect 
linear temporal logic then we show how proof systems for other temporal logics can 
be obtained changing the relational rules. 

Finally we study some properties of deductions in this system and show that the 
use of the induction rule leads to a failure of normalization. 


5.1 Language and Semantics 


To keep the presentation of linear temporal logic semantics close to small temporal 
logic semantics we will use the following definition of linear temporal frames. 


Definition 5.1.1 A linear frame M is a triple (W,R, R*) where: 
e W is a set of “worlds”; 
e FR is a linear, total relation over W; 
e R* is the reflexive and transitive closure of R. 


Structures and the satisfaction relation are defined form linear frames in the 
same way as for small temporal logic. 


We have the following connection among small temporal logic and linear temporal 
logic structures and frames. 


Fact 5.1.2 
e Each linear temporal logic frame is also a simple temporal logic frame. 


e Each linear temporal logic structure is also a simple temporal structure. 
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And immediately follows the following connection between the two satisfaction 
relations. 


Corollary 5.1.3 For each y, STLFE vy implies LTLFE vy. 
Proof. Follows immediately from Fact 5.1.2. Oo 


5.2 Proof Systems 


We will again use labelled formulas and relational judgments within our proof sys- 
tem, we will use the relational judgment p R* q for the modalities © and O instead 
of p R' gq. 


Definition 5.2.1 (NK-LTL) The proof system for Linear Temporal Logic is ob- 
tained from NK-STL by the addition of the following induction rule: 


[p R* p’| [p’ p"| [p’: (| 

pRq py Raves 
GP 

This proof system will be denoted with NK-LTL. In the same way NJ-LTL will 
denote the proof system obtain from NJ-STL by the addition of (Ré). 


REE @ PY 


This is the rule that permit inductive arguments, the two premises of the rule 
correspond to the base case and the inductive case respectively. In order to show, 
by induction, that formula y holds in some world q reachable from p, we show that 
vy holds in p and each time it holds in some world p’ reachable from p it also holds 
in the next world p”. 


Example 5.2.2 The induction axiom y — O(y — Ow) — Oy is an example of 
formula whose prove requires the (R=) rule. 


Oo 
[p’: ¥] py > OY as é) 
[p’ Rp" p! Oy E 
* . (Og) 
[Ip R* q| py py (Rr) 
EOP (og) : 


Proposition 5.2.3 (Soundness) NK-LTL is sound with respect to LTL, i.e. 
Trpyp = TEpy 


for each set of formulas T and for each formula vy. 
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Proof. Since NK-STL is sound with respect to STL and since each LTL structure 
is also an LTL, we only need to prove the soundness of (Fé). 

So assume M = (W,R,R*, p) is an LTL structure and o an environment such 
that M,o F p R* q, M,o F p:y and, if M,o — p R* p’,p’ R p",p':y, then 
M,oF psy. 

Since R* is the transitive and reflexive closure of R there exists (a possibly 
empty) sequence wo,.--,Wn € W such that wo = o(p), Wn = o(qg) and w; R w;41 for 
each 7. We proceed by induction on n. 

If n = 0, since wo = o(p) = o(q), we immediately have M, wo F y. 

Assuming M,w,_1 F y consider a’ = a[p’ > wr_1|[p" > wy] where p’ and p” 
are fresh world variables, we will have M,o’ F p R* p',p' Rp", p': yp. Now, by the 
assumption on M and o, we can conclude M,o' F p”:y, and so also M,o F q: ¢. 

O 


Proposition 5.2.4 (Completeness) 
TEpy = TrFpy 
where 1 contains only a finite set of formulas. 
Proof. Since in NK-STL we derive each axiom of the STL axiomatization, it is 


sufficient to give a prove of the induction schema (see Example 5.2.2) to obtain a 
complete axiomatization for LTL. o 


Remark 5.2.5 Observe the proviso on the finiteness of the set of assumptions in 
Proposition 5.2.4. A logic for which the implication of Proposition 5.2.4 holds only 
under such condition is usually said to be weakly complete, conversely a logic for 
which the implication holds also for infinite sets of assumptions is said strongly 
complete. 

The necessity of considering only finite sets of assumptions is related to induction. 
Since we require that the relation R* is the minimal reflexive and transitive relation 
including R we can enumerate all the points reachable from some starting point w 
via R*. On the other side we insist to have finite proofs so that we cannot make use 
of an infinite set of assumptions. 

The standard counterexample to the strong completeness of LTL is given by the 
sequent [ F p:Oy where [ = {p: 0" y | n < w}. Obviously, since the proof system 
is sound, we cannot prove p:Oy without using each of the assumption and this is 
impossible in a finite proof. 


In the following we will consider proof systems obtained from NK-STL that 
capture other temporal logics. 
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5.2.1 Until Temporal Logic 


The system we considered up to now is not the full linear time logic, indeed what 
is normally called Linear Time Logic also includes a binary modality until (written 
U) with the following semantics: 
M,wFe puy — duo R--- Rw, such that (5.2.1) 
w= wy and M,w, — wv and Vi < n.M,w,F y 


Even if this fits poorly in the setting we set up, we can give rules for this con- 
nective also 


P: D2 Pi Pi p:O(GiU va) 
Pp PiU po Pp Pir po 


[p R* p" [p”: po] [p R* p"| [p" R p’| [p”: Y1] [p’: v| 


(Uz) 


pipil v2 pry pi: 
py 
The system obtained from NK-LTL by the addition of the rules above will be 
called NK-UTL. 
Even if the name is improper, we will write LTL in refering to the logic with 
modal operators O,O0 and ©, we will write UTL when we refer to the logic that 
contains also the modal operator U. 


(Us)” (p' .p") 


Proposition 5.2.6 (Soundness) 
Trpyp = TFp:y 
for each set of UTL formulas T and for each UTL formula vp. 


Proof. From Proposition 5.2.3 it is sufficient to show the soundness of rules con- 
cerned with connective Until. The two introduction rules can be immediately seen 
sound. 

To show soundness of the elimination rule consider a structure M and an envi- 
ronment o satisfying the premises of (Us). From M,a F p: 9, U v2 and from (5.2.1) 
we have worlds wo,...,W, such that o(p) = wo, M,wn — 2 and for alli < n 
M,w; — y1. We now prove by induction oni thati<n = M,wyiF Vv. 

For i = 0 this amounts to prove M,w, F wv, consider an environment o’ = 
o|p” + w,]| for a fresh variable p’”. Obviously we will have M,o’ F p R* p” 
and M,o’ F p”: 2. Hence, applying the second premise of the rule we also have 
M,o'F p":, ie. M, wy F w. 

Assuming M,w,_; F a, consider an environment o/ = o|p"” % w,y-i-i|[p' 
Wn_i| for fresh variables p’ and p”. By inductive hypothesis we have M,o’ F p’:w. 
Hence, by applying the third premise of the rule we obtain M,o’ F p”:y, i.e. 
M, Wn—i-1 FW. 

To conclude observe that from M, wo F w immediately follows M,oF p:w. O 
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Proposition 5.2.7 (Completeness) 
TEpy => TFpy 


for each finite set of UTL formulas T and for each UTL formula vp. 


Proof. Again the proof can be given by a reduction to a well known complete axiom 
system. Addition of axioms 


pilus = poV (iA O(~i1U ¢2)) 
ypiuy, = Ove 


to an axiomatization of LTL is known to give a complete axiomatization of the logic. 
As an example we consider the second axiom above: 


[p" R* q| la: po] (Oz) 


[p” R* p" [p”: oy (6 ; p: © 2 () 
", iE 3 MN, 
PiCe (py Pee Pee (o,) 
Dp: pill pe p':O pe p':O pe 
p: © Ye (Ue) 


where (p) are relational rules used to discharge judgment p” R* q from assumptions 
p’ Rp’ and p’ R* gq. oO 


5.2.2 Past Tense operators 


A common extension of LTL is obtained by adding modalities quantifying over past. 
Essentially two choices are possible; one is that of adding a distinguished initial point 
in the structures, the other is that of having structures extending infinitely in both 
ends. We will discuss briefly the system arising from the latter (simpler) choice. 

For each modality of LTL we can add its “mirror image” changing the direc- 
tion of the quantification, so from ©, © and O we obtain modalities O'7, © and 1 
respectively with the following semantic definition: 


MwEOp — M,vw’'F ¢ for all w’ € W such that w’ Rw 
MwrEopg —= Mw’ ¢ for all w’ € W such that w’ R* w 
MwEop — M,w'F ¢ for some w’ € W such that w’ R* w 


The resulting logic will be called PLTL. 

In order to exploit the symmetry among future tense modalities and past tense 
modalities we start defining an involutive function [-]~ on PLTL modal operators 
that associates to each future time modal operator its past time analogous: 


lb=o fof=0 lob=o lor=o [ob=o fot =o 
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Then we extend [-]~ to formulas taking [a]~ = a, [6 y|~ = [6] [vy] for each 
modal operator © and [py © w|~ = [y]~ ® [w]~ for each propositional connective ®. 

Finally an axiomatization of PLTL (see [Sti92]) can be obtained by adding to the 
axiomatization of LTL the axioms: 


PO) p=00¢%; 

Pl) p> 00>"; 

and the following inference rule: 
R_) if y then [y]-. 


The axioms establish the relation among past time operators and future time 
operators, the inference rule state the symmetry among past and future. 

We obtain the rules for past time modal operators simply reversing the relational 
judgments in rules of the corresponding future time modal operator. 


lq Rp 
EL rq BOY @dkp,., qh p ay... 
pO Y (O tT) re) (O e) p> y (© 1) 


we will also need the addition of the relational rules: 


[p Rq| [pi = pe] [p" Rp’ ae Pllp’: 9] 
Po: P {pi R qhic.23 Po: P qgR*p py ee 
pore (Rp)*) aarp (Rx), gg (Re)??? 


The proof system obtained by addition of the previous rules to NK-LTL will be 
denoted with NK—PLTL. 


Proposition 5.2.8 (Soundness) 
Trpy => TEp:y 


for each set of PLTL formulas T and for each formula wp. 


Proof. It is sufficient to show the soundness of the rules related to past modalities. 
The proof proceeds along the lines of the proof of Proposition 5.2.3. Oo 
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In order to prove the completeness of NK—PLTL we show that rule R™ is elim- 


inable in the system. First we extend the function |[-|~ to judgments as follow: 
py =pl~yl PR =qRkq [pR ql =aR'q 
Lemma 5.2.9 


GPE pp => [93 (FT F [p yl” 
for each set of PLTL formulas T and for each PLTL formula y. 


Proof. The proof proceeds by induction on a deduction 7 of G;TF p: y. 

As an example consider the case that 7 concludes with a (Oz)". Then the 
premise of 7 is a deduction 7’ of G,p Rq;l' q:y and its conclusion is p: Oy. By 
induction hypothesis we know that exists a deduction of [G|~,q Rp; |T}> F ¢: [y]~ 
and applying (Oz), we immediately have also a deduction of [G]~; [[]~ - p: O'[y]-. 
O 


Proposition 5.2.10 (Completeness) 
TEpyp => Trpy 


for each finite set of PLTL formulas T and for each formula vp. 


Proof. Again we can derive the axioms and rules of a complete axiomatization. 

The fact that rule R~ is derivable follows immediately from Lemma 5.2.9. Hence 
it is sufficient to show that NK—PLTL proves axioms PO and P1, and this is shown 
by the two following derivation: 


Ip=r] [py] 
pha pRaqd [rkd Ee (=) 
pR*q) [py] ,.. Oa a 

EXP eyed BOOS 
por yp eee POO Y (a5 
pprouoy. * pproog. * 


5.2.3. Branching Time logics 


Another interesting logic arise by dropping the requirement of linearity for accessi- 
bility relation. Temporal logics in which the accessibility relation is not required to 
be linear are said branching time logics in opposition to linear time logics. 


Definition 5.2.11 (Branching time frames and structures) A branching time 
frame M is a triple (W,R, R’) where: 


e (W,R) and (W,R’) are Kripke frames; 
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e R is a total relation on W; 
e R’ is reflexive and transitive; 
e the reflexive and transitive closure of R is included in R’. 


Given a set of propositional variables L, a branching time structure over L is a 
quadruple (W,R, R’, p) such that (W, R, R’) is a branching time frame and p: W — 
2” is a truth assignment. 


Usually branching time logics provide modal operators to quantify over paths of 
structures. In the following we will not consider such operators and limit the dis- 
cussion to the logic induced by the interpretation of LTL connectives over branching 
time structures. We will call such a logic Branching Time Logic (or BTL for short). 

An axiomatization for branching time logic can be obtained from the axiomati- 
zation of LTL (see Definition 2.2.9) simply replacing axiom T3 with axiom D. 

Having equality explicit in the system NK-LTL makes it easy to drop the lin- 
earity assumptions. So, in order to obtain the proof system NK-BTL for branching 
time logic, we simply remove from NK-LTL rules (R;) and (=). 


Proposition 5.2.12 (Soundness) 
Tepyp = TEpy 
for each set of BTL formulas T and for each formula vp. 
Proof. Each rule of NK-BTL is sound. Oo 
Proposition 5.2.13 (Completeness) 
TEpyp = Trp: 
for each set of BTL formulas 1 and for each formula vy. 


Proof. Derive each axiom of BTL. Ey 


5.3. A partial result of normalization 


The definitions and facts stated in Section 3.4.1 can be easily extended to the system 
of LTL, the only difference will be that a relational judgment occurrence 7 can 
depend on a relational judgment occurrence 7’ also by mean of a (Ré). 


Lemma 5.3.1 Given a a deduction of l - p:y, exists an equivalent deduction 7 
such that: 


e in 7 do not occur any (Rz) with relational premise of finite length (cf. Defi- 
nition 3.4.3); 
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e any logical rule and any induction rule occurring in 7 also occur in 7. 


Proof. We proceed by induction on the number of (R$) with premise of finite length 
occurring in 7. In the case that there is no (Ré) in 7 with premise of finite length, 
we immediately have the result taking 7 = 7. 

Otherwise consider an innermost occurrence of (Rf) in 7 with premise p R* q of 
finite length: 


pR*q py pie 
qe? 

i.e. one such that each (RE) occurring in 7’ or 1” (possibly none) has a relational 

premise of infinite length. 

Applying Proposition 3.4.6 we obtain two sequences So,...S, and €9,...,€n. Now 
proceeding by induction on n we now define a deduction 7 equivalent to 7 that 
does not contain occurrences of (Ré). 

If n = 0 take 


To = (REP ee. 


where (p) are relational rules discharging p = q. 
By induction hypothesis exists 7; equivalent to the deduction 


es 
R* sy_ : : 
P Sn-1 i 3 Pp: (Ré) 


so take as 7 the deduction 


i 
[p R* Sn—1] Sn—1 Ren Sn1: 9 
| @”{8n—1/p', en/p"} 
lg = en] En: P eS 


ge |) 
where (p) are relational rules discharging the assumptions p R* s,_; and q = én, the 


renaming of p’ and p” in 7 are sound since these variable must be fresh in 7. 
The external inductive hypothesis concludes the proof. Oo 


The lemma also states that each deduction that does not contain occurrences of 
(RE) with premises of infinite length is also a STL deduction. 
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Proposition 5.3.2 For each LTL deduction that does not contain occurrences of 
(Re) with relational premise of infinite length exists an equivalent normal deduction. 


Proof. Follows immediately by previous lemma and by the normalization result for 
Sinks Oo 


5.4 Failure of normalization 


It is well known that inductive proofs, intuitionistic or not, may require inductive 
arguments stronger than the conclusion of the proof. In this section we try to 
formalize this fact within our proof system. 

A negative consequence of this statement will be the failure of cut elimination 
for NK-LTL. 

In the following we will consider the set of judgments 


G = {p; R piss, pi R* pp; |O<t< 7}, T= {po:a, po: Oa, po: O(a — OOa)} 
with a@ an atomic formula. We will also need the set 
T= {pi: Y, pi: 2H | y is a subformula of some ~ €T,0 < ¢}. 
Lemma 5.4.1 For each € {a,0a,00a,7a,370a,70 0a} and for eachi < w 
GU sti pisOyp and Gl sti pi: Oly > Ov) 


Proof. We simply build a counter model for the two formulas. 
Take M = (W,R, R’, p) as follow: 


W101 ..0 eo + Dt R={G,14+1)|0<1< 0+} 
R= {(i,j)|0<i<j<wtw} ye pi) = i<wVi=wt+2k 


and o such that o(p;) = i. 
It is easily seen that M,o FG and M,o FT but M,o satisfies neither po: Oy 
nor po: O(y > Oy). Oo 


Lemma 5.4.2 Let A CT be a set of logical judgments, G' a set of relational judg- 
ments and yp a formula in {a,0a,00a,7a,70a,700a}. Then 


GGT, AF srr pi: O(y ~ Ov) => G,G'T, AF srr + 


Proof. First observe that for any w subformula of some formula in I and for any 7 
we have G;[ fstz pi: and so, by soundness of NK-STL, also G,G’;T,T’ Esti pi: v. 

Assume by contradiction that G,G’;T, A is satisfiable and the antecedent of the 
implication is verified. 
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Consider now any judgment p;:~ in A. By the assumptions on A, w must be 
either a subformula of some formula in I’, or the negation of a subformula of some 
formula in I’. In the former case we have G;T F p;:w, in the latter case we have 
G;T,p;:w F L. Hence from our assumption on satisfiability of G,G’;T, A we must 
conclude G;['F J for each J € A, ie. G;] TEA. 

But now, from G;T — A and from G;T,A F O(y — Oy) we must conclude 
G;T F O(y > Oy) contradicting Lemma 5.4.1. Oo 


Lemma 5.4.3 If exists a NK-LTL deduction of G,po R* gq; ' g:y satisfying the 
subformula property, there exists also an equivalent NK-STL deduction. 


Proof. Let 7 be an NK-LTL deduction of G;p 9 R* q;0 ' q:y. We proceed in 
two steps, first we rewrite 7 so that no (Rf) occurrence in 7 has main premise 
depending on a relational judgment discharged by a (Oz) occurrence. Then we 
rewrite the resulting deduction so to remove each occurrence of (Ré). 

Start by observing that, from the subformula property, each occurrence of con- 
nective O within 7 is in formula O(y — OO vy). 

Consider now an outermost deduction 7 in 7 concluding with p: O(yp — OO y). 
Here with outermost we mean that 7 does not occur in the premise of some deduction 
of 7 that concludes with (Oz). 

We can replace 7 within 7 with the deduction 


lp R*r] po: Oly - OO) 


po R*p [p R*r] rg—>OO” (Oe) 


where (p) are relational rules used to discharge po R p. Observe indeed that each 
world variable appearing in 7 is such that po R* p. 

Repeating this procedure we obtain a deduction 7’ in which no rule (Oz) stands 
below an occurrence of (Ré). 

Now consider an innermost deduction 7 in a concluding with (R$) and with 
relational premise of infinite length. Here with innermost we mean that no (Ré) 
rule occurs in a premise of 7. 

Since no (Oz) may occur below 7 and since this occurrence of (R) has relational 
premise of infinite length, this premise must depends on po R* g. Without loss of 
generality we will assume that the relational premise is po R* q. 

The inductive premise of 7 will be an NK-STL deduction of 


G, G’', Po R p, p R p"; gE A, p YV F oe YV 


with p € {a,0a,00a,7a,70a,700a}, A CT and p’,p" world variables not 
occurring in G,G’,T, A. 
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But, applying (Oz),(—z) and (Oz) we immediately have also a deduction of 
G',G;T,T’ F po: O(w — OW). Now, from Lemma 5.4.2 and from completeness of 
NK-STL, we also have an NK-STL deduction of G,G’;T, A+ L. So we can build a 
(R£)-free deduction equivalent to 7 as follow: 


| ql 
alle 
— (L 
si (Le) 
Repeating this procedure for each occurrence of (R$) in a’ results in a new 


deduction 7” containing only induction rules with premises of finite length. We can 
conclude the proof by application of Proposition 5.3.2. Oo 


Proposition 5.4.4 No proof of G;V,po R* qk gq: y enjoys the subformula property. 


Proof. By Lemma 5.4.3 the assumption would imply also G;T,p) R* q ksti ¢: y, 
and so immediately, by soundness of NK-STL, also G;T Fst, p: Oy. But this 
contradicts Lemma 5.4.1. oO 


Chapter 6 


Omega temporal logic 


6.1 The system LTL” 


In this chapter we augment the deductive machinery of the proof system for linear 
temporal logic introduced in 5 by adding a rule with an infinite set of premises. 

The reason to consider such a powerful rule is the same that lead to the definition 
of the omega rule in the system of arithmetic, i.e. it gives a normalization result and 
its standard consequences. In general infinitary systems are used also to establish 
results about their finitary counterparts (for example see [Min00]). Soundness results 
are a typical application of this technique, also in this case, the consistency of LTL 
can be seen as a corollary of the consistency of LTL’. 

First we define the system and relate it to the semantics of linear temporal logic. 
A result of soundness and completeness with respect to such logic is proven. 

Then we study the proof theoretical aspects of the system both in a classical 
and intuitionistic version. A result of normalization is shown and the standard 
consequences of normalization are recovered. 

In the case of the intuitionistic fragment we also obtain some novel form of 
existential property relative to the modal connective ©. 

Finally we give sufficient conditions under which the omega rule can be elimi- 
nated. 


Definition 6.1.1 The system NK-LTL” is obtained from NK-STL by adding the 
following rule: 


[po = 4] [po R pil + Pn BR Pnti][Pn+i = 4 
R* . ole id ee 
Po qd ~ aI e =SSSses (w) E172...) 
where variables p,p2,... are fresh and the n* premise the rule discharges assump- 


tions {p; R pisi, Pn =q|0<i< nh. 
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As usual we denote with E(p,,po,...) the restriction that the eigenvariables 
D1, p2,-.. cannot occur free in any assumption of the premises. 
In the same way, NJ-LTL* is obtained from NJ-STL by the addition of rule (w). 


Remark 6.1.2 Another possible, and probably more intuitive, formulation could 
be the following: 


[po R pil: ++ [Pn R Pr+al 


po R*q porp -:: = Pra Y yy) Bip.) 
It is easy to see that nothing is lost in choosing the first one. Indeed assume you 
have a deduction 7 of G,po R* q;0 + g:y obtained by application of rule (w’) to 
premises 71, 72,.... 

Now each 7; is a deduction of 


Gp Rk’ q,po Rpi,---,pi-1 Rp pip 
so, applying rule (=) to 7; we can build deductions 74, 7},... with 7; proving 
Gp Rap Rp,.-. piARp, p=agrray 


and an application of rule (w) to po R* ¢q,7,... gives a deduction equivalent to 7. 
In other words rule (w’) is derivable in NK-LTL”. 

Moreover the two rules are equivalent, more precisely consider a new system 
NK-LTL” in which rule (w) is replaced by rule (w’), then we can show that (w) is 
eliminable in NK-LTL” (the proof will be given later). 

Anyway we choose to keep rule (w) because it shows nicer properties when dealing 
with normalization. 


Since we are now working with infinite objects we try to be more precise in 
defining the nature of such objects and their basic properties. 


Definition 6.1.3 Deductions in NK-LTL” are defined by (transfinite) induction by 
the following clauses: 


e A single logical judgment is an NK-LTL” deduction (the trivial deduction); 


e [fm,...,% are NK-LTL” deductions so are also the deductions obtained by 
the application of an NK-STL rule to premises 7,...,%nj 


e If 7m, 7,... are NK-LTL” deductions, so are also deductions obtained by the 
application of an (w) rule to premises 7, 72,... 
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Observe that we are banning the case that x contains a infinite branch, exactly as 
happens with proof systems that do not contain infinitary rules. So also NK-LTL* 
deductions never contain infinite branches. 

Given an NK-LTL” deduction 7 and an ordinal number o, we say that 7 is of 
size smaller than o (and write |x| < o) if 


e 7 is a trivial proof, or 


e z= concludes with an NK-STL rule with premises 7,...,% such that for alli 
[zi] < 0; < 0, or 


e z concludes with an (w) rule with premises 7, T,... such that for alli |m;| < 
0; <0. 
We will say that m is of size o, and write |x| = o if o = min{o’: |x| < o'}. 


Observe that this notion of size does not agree with the notion of size defined on 
finite deductions. 


Proposition 6.1.4 (Soundness) NA-LTL” is sound with respect to semantics of 
linear temporal logic. 


Proof. By soundness of NK-STL it is sufficient to show the soundness of (w). 
So consider an instance of (w) with premises po R* q,71,7,... where 


a, is a deduction of G,po Rpi,...,pi-1Rpi,pp=qlh riy 


Let M and o be a structure and an environment satisfying each of the premises, 
Le. 


M,aF G, po R q,T (a) 
M,oF p Rpy,..-,pj-1 Ri pi=q => M,oFEr:¢ for each i (b) 
From (a) we can find a sequence wo,...,Wn of points of M such that o(po) = 
Wo R ++: R Wn = 0(q). 
Take o/ = a|pp + wo]--: [Pn 4 Wn], now, from the side condition on the eigen- 
variables po,...,Pn, and from (b) we have 


M,o'F po R pi, -+-;Pn—1 R Pn, Pn = 4 => M,o'Fr:y 


but, by the choice of wo,...,Wn, the premise of the implication is immediately 
satisfied and so we obtain M,o’ F r:y. Finally from o’(r) = a(r) we can conclude 
M,oFEr:y. Oo 


Proposition 6.1.5 Rule (Rz) is derivable in NK-LTL”. 
More precisely, assume x’ and x" are NK-LTL” deductions respectively of 


G,po Re g;TE po:p and G,po R* q,po R* p',p' Rp" piel py 


with p' and p" different from po and q and not occurring in G,T. 
Then there exists also an NK-LTL*” deduction of G,po R* gq; F ¢: y. 
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Proof. Consider an infinite sequence of fresh variables p, po,... and inductively 

define a sequence of NK-LTL” deductions as follow 

| 

pk p pik pisr pip 

ae. ths =) | n't; /P', pee Py 

For Teel Pit1: PY 

Then 7; is a deduction of G,G;, Gi, po R* ¢; 0 F pi: y where 

G; = {pj Roja |O< 5 <i}, Gl={po R* yp; |0<7 <j}. 


Applying i times rule (R%) to deduction 7; we obtain a new deduction 7} of 
G,G;,po R* gq; - py and finally applying rule (w’) to 7,7},... we obtain an 
NK-LTL” deduction of G, p) R* q; Fg: y. Oo 


Proposition 6.1.6 For each set of assumptions G;V and for each formula p: p 


G;T Fyx-rre pp => G3 FwK-tre pi 
G:C Fayornp:p => Gil Fustri py. 


Proof. The proof is given by defining a type preserving map |-|* from NK-LTL 
(NJ-LTL) deductions to NK-LTL” (NJ-LTL*”) deductions, i.e. such that if 7 is an 
NK-LTL (NJ-LTL) deduction of G;[ + p:y then |z|” is a NK-LTL” (NJ-LTL”) 
deduction of G;[F p:y. 

Define |z|* inductively on 7 as follow: 


e if z is the trivial proof |z|° = 7; 


e if 7 is a proof concluding with an NK-STL rule (p) with premises 7,..., 7, 
\7|° is obtained by application of (p) to premises ||” ,... |7n|"; 


e if 7 is a proof concluding with an occurrence of (R£) with premises 7 and 7, 
|7|° is obtained by application of Proposition 6.1.5 to the proof obtained by 
application of (R%) to premises |7,|° and ||”. 


The fact that |-|” is type preserving is easily proved using Proposition 6.1.5. 
Finally observe that (L¢.) occurs in |z|“ if and only if (Le) occurs in 7, hence 
NJ-LTL deductions are mapped to NJ-LTL” deductions. Oo 


This allow us to embed the NK-LTL proof system in NK-LTL” so that we 
immediately have the following result. 


Corollary 6.1.7 (Weak Completeness) For any finite set of labelled formulas T 
and any labelled formula p: py, we have 


T F p: => T FN K_LTLY Ppp 
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Proof. By NK-LTL completeness [ F p:p = > T Fyx-pri p:y and by Proposi- 
tion 6.1.6 T ENK_LTL Pop => T ENK_UTLY Dp: YP. O 


Obviously the result also extends to the intuitionistic fragment as long as the 
non-infinitary proof system is complete with respect to the considered semantics. 

Hence we have two deductive systems with the same expressive power when 
dealing with finite sets of formulas. 


Proposition 6.1.8 For each finite set of labelled formulas Tl, for each set of rela- 
tional formulas G and for any labelled formula p: p 


G;C Fywore pp => GT Fyre py 


Proof. The ( => ) part is given in Proposition 6.1.6, the ( <= ) part is easy 
consequence of soundness of NK-LTL” and weak completeness of NK—LTL. oO 


On the other side we can see that NK—-LTL?* is strictly more powerful of NK-LTL 
when dealing with infinite set of formulas, and this is due to the fact that LTL is 
not compact. 

Consider for instance the infinite set of assumptions G = {p; R piy1 | 0 < i}, P = 
{pi:y | 0 < i} and the finite sets G, = {po Rp} U{p, Rpi,, | 1 <i <n}. 

It is immediate to see that, for each n, G,G, / py = pi, and so we can build a 
sequence of NK-LTL deductions 7, 7, 72,... such that 7; proves G,G;;T F pi: y. 

Applying the w rule to the deductions 7, 7™,... we obtain the following: 


[po Rp] [po R pi] [p, RB vs 


To | ™ | m2 
[po R*q| pp py Do: Y oth 
ea oe ee 
Po: OY (Gz) 


On the other side consider any finite subset I};, of T, clearly G; Tin ¥ po: Oy. 
And, since any NK-LTL deduction 7 must have a finite number of non discharged 
assumptions, we have [ /nx_trz po: OY. 


Proposition 6.1.9 (Strong Completeness) Given a (possibly infinite) set T of 
LTL formulas 
P Fire L => po: P Pyx-iri 1 


where we wrote po:T for the set {po:p |p ET}. 


The proof follows a standard Henkin style argument: we prove the contrapos- 
itive by building a model for [. The simplicity of the proof is also given by the 
powerful (w) rule, which allow us to get rid of the typical complication rising from 
the fulfillment of eventuality. 
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In the rest of the proof we will write I instead of po: T and we will consider a set 
of variables S = {p; | 0 <i < w} and a set of relational formulas G = {p; R pi+1 | 
0<34}. 

First we build the maximal consistent set [ extending [UG via application of 
the Lindenbaum technique ([Sho67]). 


Proposition 6.1.10 Each consistent set of LTL labelled formulas I can be extended 
to a maximal consistent set I. 


The following lemma states some basic properties of I’. 


Lemma 6.1.11 For any maximal consistent set T extending GUT, for any LTL 
formulas p,w and for any world variable p; € S 


pipel <> pewp¢T 
ppnhweT <=> py eT andp;:w €T 
piypVwer = py eT orpyeT 
pig ower => py eT implies py €T 
piOoyger = purge? 
POgeL Ss. AS 0paeeoeT 
pi Oy eT «<> Vk> O.pi+K: Y el 


Proof. Each equivalence follows trivially from the definition of maximal consistent 
set and from simple deductions in NK-LTL’. As an example we consider the case 


Di: Oy. 


=) If p;:Oy € re we have for each k, G+ p; R* pir, and so also G:T + pyre: 
hence pip: yp ET. 


<= ) If for each k piyg:¢ € I, applying (w’) we obtain G;T,p; R* q F gy fora 
generic q not occurring in G. An application of (Oz) gives us G;[ F p;; Oy 
and sop: Oy EY. 


O 


Proof (Strong Completeness). We start by defining a linear temporal structure 
M = (S,R, R*, p) taking: 


e S as the set defined above; 


eR={(p,q) |pRdEG}; 


e R* as the transitive and reflexive closure of FR; 
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e pas the function mapping p to {a | p:a € T} (recall that p take value over 
the set of atomic formulas). 
We now prove that for any y and for any p; € S 
MypFep = pevel 
Proceed by induction on y 
e if y is atomic the thesis follows by definition of p; 


e if y has main connective in =,/A,V,—, © the thesis follows by definition of F, 
by inductive hypothesis and by application of Lemma 6.1.11; 


e if py = vw the direction ( <= ) follows by the inductive hypothesis and 
Lemma 6.1.11. 


Conversely assume by contradiction © ~ ¢T, then in virtue of Lemma 6.1.11, 
Ak.vizn: € T and again by Lemma 6.1.11, Vk.pjsn: 7 € FT. And applying 
the last time Lemma 6.1.11 we have p;:O-y € T from which pj: 7 Ow € T 
contradicting the consistency of I; 


e if yp = Ov the direction ( => ) follows by the inductive hypothesis and 
Lemma 6.1.11. 


Conversely assume by contradiction M, p; ¥ Ow then 4k.M, pi, % w and by 
induction hypothesis and property of I’, piz4: y € T. Another application of 
Lemma 6.1.11 gives p;: © =wW € T contradicting the consistency of I. 


We complete the proof observing that, by construction, P C T and we proved 
MET so alsoMET. oO 


Corollary 6.1.12 Rule (w) is eliminable in the system NK-LTL” obtained from 
NK-LTL” by replacing rule (w) with rule (w’). 


Proof. In the proof of completeness Proposition 6.1.9 we used rule (w’) so that 
NK-LTL® and NK-LTL” result sound and complete for the same semantics. Said 
in symbols we have I’ F | implies P Fy, ypye7 1 by Proposition 6.1.9, and this 
implies [ Fyx-prpe -L by Remark 6.1.2. oO 


6.2 Normalization 


In this section we study the reductions for the system of linear temporal logic with 
omega rule. The main result of this section will be a normalization result. 
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6.2.1 Reduction Rules 


First we complete the set of reductions by adding commutative conversions involving 
the (w) rule. Each of these reductions follow the pattern shown below in which (p) 
is any elimination rule that has as main premise the omega branch. 


[po =P] [po R pil |p. = pl 


pRq ay ap ee) | 7 | 7, 
q: P q1 P1 Gn: Pn ( ) b> 
ri p 
[po = P| [po R pil[pi = pl 
[7m [mo |m | ™ [7 | 
gq: G1: Pi -°'*dn? Pn q: G1: Pi ++ dn? Pn 
6 | 


rey (w) 

Observe that the resulting deduction is well formed since no elimination rule 
discharges relational assumptions on its main premise and so the relational premise 
of rule w cannot be discharged by rule (p). 


6.2.2 Preliminaries 


In this section we give some basic definition and property needed later to prove the 
normalization result. Most of these are completely standard and can be found for 
instance in ['TS96] and [Sch77]. 


Definition 6.2.1 The definition of dependency among relational judgments carry 
forward to LTL® deductions adding the clause that a relational formulas discharged 
by an application of (w) immediately depends on the relational premise of that rule. 


The facts stated in Section 3.4 about relational formula occurrences remain valid 
also for LTL” deductions, the only difference is that a formula occurrence may also 
have been discharged by a (w) rule. 

We can also generalize the notions of thread, path and segment. 


Definition 6.2.2 In the following we will regard (w) as a relational rule and the 
definitions of thread, path and segment follow accordingly. 


The definition of cut rank (cf. Definition 4.1.3) extends immediately to w de- 
duction replacing 5> with sup. 


Definition 6.2.3 Given a deduction 7 define the rank of a (cr(m)) as a pair (n, €) 
where: 


n = sup{|o|:o is a maximum segment in a} 
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€ = sup{lh(c):o is a marimum segment ina with |o| =n} 


We will consider as usual the lexicographic order on the set of pairs inw U {w} x 
wU {w}. 


Notice that for w deductions, cr(7) take values on (w U {w}) x (w U {w}) since 
a proof can contain sequences of segments of unbounded length and sequences of 
segments of formulas of unbounded size. 

To make things simpler we normalize deductions in two steps, first we use com- 
mutative conversion to move indirect rules in convenient position, then we perform 
proper reductions. 


Observation 6.2.4 Since in this logic we have infinite deductions, infinite reduc- 
tion sequences will rise naturally. Consider for instance a proof x obtained by (w) 
from proofs 7, 7,... and sequences of reductions 01,02,... for 7, T,... respec- 
tively. In this case we could also consider the infinite sequence of reductions for 7 
obtained interleaving sequences 01,02,.... We will not be too formal on this point 
since we will not explicitly talk about reduction sequences. 


Observation 6.2.5 Observe that commutative conversions and relational reduc- 
tions preserve segments; more precisely if x’ is obtained from m by a commutative 
conversion, there is a bijection among segments in x and segments in mr’. 

In particular if o is a segment occurring int and o’ is the corresponding segment 
in m’, we have that o' is the main premise of a proper logical reduction (p) if and 
only if so is also oa. 


Lemma 6.2.6 (Substitution Lemma) Let 7 be a deduction of G;T,¢:~ - pre 
and x’ a deduction of G';I’ + q:W. Then the deduction r{n'/q:w} obtained by 
replacing the occurrence of assumption q: W with m' in x is a deduction of G,G’;T, IT’ F 
p: yp such that 


ex(m{x'/q:b}) < max{er(m), or(m’), ([W], w)} 


Proof. By induction on |z]. Oo 


Lemma 6.2.7 Given an omega deduction 7 exists an equivalent deduction 7 such 
that cr(a) < cr(m) and each maximum segment in 7 is of length 1. 


Proof. Proceed by induction on |z]. 
If z is the trivial deduction we can take 7 = 7 and we have finished. So assume 
that a is of shape 
| To | Ty 
Po: Yo Pi:P1 °°" 
Te mpg — a) 
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Now, if (f) is a relational or an introduction rule, we can build the new deduction 


to | 
ee: ar a (p) 

where 7; is obtained by application of the inductive hypothesis to 7;. Clearly each 

maximum segment in 7 belongs to some 7; and so it must be of length 1. 

Consider now the case that (f) is an elimination rule and assume po: Yo is the 
main premise of (p). If po: yo stands on a maximum segment of length 1 or po: Yo 
does not stand on a maximum segment, the same procedure described above applies. 
So assume that po: yo stands on a maximum segment of length greater than 1, in 
this case it will be the conclusion of an indirect rule (R’). Now we can apply 
a commutative conversion to obtain a deduction concluding with (R’) and with 
premises of size strictly smaller than |z|. Finally using the same procedure described 
above we obtain the thesis. 

To make things more clear we spell out in details the case that (R’) is (w). We 
will have 


T “ge 
PRE Gs Danis 0: Ooi 29 | ™ | mn 
iw Po: Po Pi: P1 Pn: Pn (p) b 
PP p 
[7 [mm jm fm | m 
Po: Yo Pi 1°" "Pn: Pn Po: Po Pi: Pi Pn? Pn 
p R* q Dp. P == (p) a LS Pe (2s ses 
PP (w) 
Let 7’ be the resulting deduction and let 7, 77/,... as follow: 
| 
Po: fo Pi: P1 77 Pn Pn 
1 = Od) 
clearly, the i” premises of (w) rule in 7’ can be obtained by substituting 7,..., 7 
for Pi: Y1,---;Pni Gn Within 17 
Now observe that we have for all 7: 
ln] = 1 Feupffm|,...sftals1 + sup{lnd] [af]. > baal be 
so that we can apply the inductive hypothesis to each 7; and 7’ obtaining deductions 
7, and 7. 
Then indicate with 7; the result of the substitution in 7’ of 71,...,7, for 


Pi: Pl, +++5Pni Pn- 
We have that segments in 7; on which p,;:y; stand are not main premises of 
elimination rules. Hence we also know that the only maximum segments in 7; are 


those appearing either in 7 or in 7),...,7. 
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Finally we have shown that the only segments appearing in deduction 


fo |i 
a PRG PP PG ke 
po PE se ee 
also appear either in 7; or 7’ and, by inductive hypothesis, 7 contain no segments 
of length greater than 1. Oo 


6.2.3. NK—-LTL’ Normalization 


Again, in order to tackle normalization in the classical case, we consider the frag- 
ment of “well” behaved connectives (conjunction and universal modal operators) 
and remove from deductions each occurrence of (L¢,), with non atomic conclusion. 

The proof will proceed by steps, first we will show how to normalize deductions 
with finite cut ranks, then we will use the result to proof a general normalization 
theorem. 


Proposition 6.2.8 Let a be a deduction of p:y from G;T in the A, -,0,0 frag- 
ment, then there exists a deduction r' of G; + p: y satisfying 


each application (Le) in m has atomic conclusion (6.2.1) 


Proof. The argument is similar to that used in Proposition 4.2.1 but we have to 
change the inductive measure since, in principle, the size of formulas occurring in 7 
as conclusion of (L¢,) could be unbounded. 

So proceed by (transfinite) induction on ||: 


e if 7 is a trivial deduction we have nothing to prove; 


e ifm is obtained from 7, 72,... via arule (p) different from (Le¢,), the inductive 


hypothesis gives us deductions 1}, 75,... each without occurrences of (L¢,) 
with non atomic conclusion. Applying (p) to 7}, 7,... results in the desired 
deduction; 


e if 7 is of shape 
[p: +9] 
Im 
i (Le) 
we have by induction hypothesis a new proof 7/ equivalent to 7 in which no 
(Le) ooccurrence concludes with a non atomic formula. Now we can proceed 
by induction on |y| as in Proposition 4.2.1 to show the existence of 7’. Oo 


Proposition 6.2.9 Leta be an NK-LTL” deduction on the L, >, A, O, 0 fragment. 
Assume also cr(z) = (n,1) for some0<n<w, anda satisfies (6.2.1). Then there 
exists an omega deduction 7 equivalent to 7 with cr(7) < cr(). 
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Proof. We proceed by induction on |z]. 

By the assumption on cr(z), 7 cannot be the trivial proof so the base case is 
vacuously verified. 

Let (p) be the last rule in 7 and 7, 77,... the premises of (p). We now have the 
following cases: 


e The main premise of (~) is not on a maximum segment. 


First take 7; as 7; if cr(a;) = 0 and as the deduction obtained by application 
of the inductive hypothesis to 7;, otherwise. 


Then define 7 as the deduction concluding with (9) and with premises 7;. 
We will have cr(7) = sup{er(7;)} and either cr(a;) = cr(m;) = 0 or er(m;) < 
cr(z;). Then, since by assumption cr(z) = sup{er(m;)} < (w,1), we obtain 
cr(7) < cr(7). 


e (p) is an elimination rule with main premise that stand on a maximum seg- 
ment. 


By hypothesis on z (length of the maximum segments and (6.2.1)) such premise 
must be the conclusion of an introduction rule (say (p’)). So we have to 
consider the possible introduction elimination pairs (p’)/(p). 


Assuming 7,...,7» are the premises of the introduction rule (R’), take 7; 
as 7; is cr(m;) = 0, the deduction obtained by application of the inductive 
hypothesis on 7;, otherwise. Obviously we will have either cr(7;) = er(a;) = 0 
or cr(7;) < er(7;). Proceed now by case analysis. 


(—¢) This is the most significant case, we have 


ne | 
pp ao | m1 Ip: 2 
ppow. * i 


By Lemma 6.2.6 we have 


cr(7) = cr(ao{71/p: v}) 
max{cr(7o), cr(71), ([y] ,w) } 
< max{cr(7), cr(7™71), (lg — ¥|,1)} = er(z) 


IA 


(Ag) in this case (and the symmetrical) we have 


[7  |m 
pp pw 
(Az) 5 
/\ TT 
= a KS) B= ply 
es) : 
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and either cr(7) = cr(7) = 0 < er(m), or 


er(7) = er(7o) < cr(mo) < max{er(79), er(™1), (jp AY], 1)} = er(z). 


(O¢) in this case we have 


[p Rr] 
| 70 
rip (07) pRq 
_pRq pop as Si | wo{a/r} 
gp e PP 


and again, either cr(7) = cr(7o) = cr(ao) = 0 < er(m), or 


cr(7) = cr(io) < er(ao) < max{er(7), ([O y|,1)} = er(z). 
(Og) the argument is the same used for the previous case. Oo 


Observation 6.2.10 Reductions do not create new occurrence of (L¢.) so if m sat- 
isfies (6.2.1) and m1’ is a reduct of 7, also m' satisfies (6.2.1). 
In particular both Lemma 6.2.7 and Proposition 6.2.9 preserve (6.2.1). 


Corollary 6.2.11 Let a be an NK-LTL” deduction on the L,—,/A,O,O fragment. 
Assume also cr(m) < (n,w) for some0<n<w, and 7 satisfies (6.2.1). Then there 
exists a normal deduction 7 equivalent to 7. 


Proof. The proof easily follows by induction on cr(z) using Proposition 6.2.9, 
Lemma 6.2.7 and Observation 6.2.10. Oo 


Proposition 6.2.12 (Normalization) 
For each omega deduction on the L, >, A, O,0 fragment, exists an equivalent normal 
deduction. 


Proof. We can assume that 7 satisfies (6.2.1), if not so we can apply Proposi- 
tion 6.2.8. We now proceed by induction on 7 showing the existence of a normal 
proof 7 equivalent to 7 and satisfying (6.2.1). 

If z is the trivial deduction we have nothing to prove, otherwise let (p) be the 
last rule in 7 and let 7, 7,... be the premises of (~) concluding respectively with 
Po: Yo; Pi: ¥1,---- By inductive hypothesis we also have normal deductions 7, 71, ... 
equivalent to 7,7 ,... respectively. Then we can build a new deduction 


70 | 7 
* POY Pi: Pi far (p) 


Ds DP 


If no premise of (p) in 7’ stands on a maximal segment, 7’ is a normal deduction, 
since maximal segments in 7’ must occur in some 7; and this is impossible since each 
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7; is normal by induction hypothesis. Moreover 7’ satisfies (6.2.1) since 7,7, 77, --- 
do. 

So, the only other cases to consider are those in which (p) is an elimination 
rule. In these cases, we have only a finite number of premises, say 7,...,7n, 
and each maximal segment occurring in 7’ must end on some of the premises of 
(p). Hence, we immediately have er(a’) < (max{|¥o],..-,|n|},w), moreover, by 
induction hypothesis, by the fact that 7 satisfies (6.2.1) and by Observation 6.2.10 
we also have 7’ satisfies (6.2.1). Hence we can apply Corollary 6.2.11 to a’ in order 
to obtain a normal deduction. Oo 


Hereafter, in virtue of Proposition 6.2.8 we will assume that normal proofs satisfy 
(6.2.1). 

Observe that in this setting it makes no sense to talk about strong normalization. 
Indeed we can consider any deductions containing an infinite number of independent 
redexes and we cannot hope to achieve a normal form for such deduction with a finite 
set of reductions. In the proof shown above infinite number of reductions are hidden 
in the induction where we apply inductive arguments to the (possibly infinite) set 
of premises of a rule. 


6.2.4 Consequences of normalization in NK—LTL” 


In this section we will prove some corollaries following from the normalization the- 
orems. Most of them are the equivalent of the standard results for classical system 
of predicate logic. 


Lemma 6.2.13 (Structure of normal proofs in NK—LTL”) 

Consider a normal deduction 7 on the L,—,A,O,0 fragment of NK-LTL”. Let 
00,01,---,0n be a sequence of segments forming a path in x, moreover let p; be the 
shape of segment o;. Then exists i € |0..n] such that o; is the minimum segment, 
1.€. 


e each o; in the E part of the path (i.e. such that j < i) is the major premise 
of an elimination rule and pj41 is a subformula of pj; 


e citheri =n or o; is premise of an introduction rule or a (L¢,) rule; 


e each o; in the I partof the path (t.e. such that i < j) is the conclusion of an 
introduction rule and pj; 1s a subformula of »;. 


Proof. The thesis follows by the observation that a does not contain maximum 
segments. oO 


In this result we have to deal with segments instead of formulas even if we 
excluded the case of V and <. The reason is due to the presence of relational 
rules that may occur among logical rules. It can be easily seen however that such 
relational rules could be commuted below logical rules. 
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Theorem 6.2.14 (Consistency) The system NK-LTL” is consistent. 


Proof. As usual assume by contradiction to have a normal proof 7 of p: L, and 
consider a main path in 7. 

From Lemma 6.2.13 we know that such path will be composed of an introduction 
part and an elimination part. Since we have no introduction rule for L, the I part 
of the path will be empty. But so will be also the E part of the path since we have 
no assumption to discharge. Oo 


This immediately gives also the consistency of NK—LTL. 


Corollary 6.2.15 The system NK-LTL 1s consistent. 


Proof. Immediate from consistency of NK—-LTL® and from Proposition 6.1.6. O 


Corollary 6.2.16 (Subformula property) Given a normal deduction 7m of G;PF 
p:p, each formula occurring in 7 is either a subformula of some formula in TU {yp} 
or a subformula of a formula discharged by an application of (Le.). 


Proof. The statement is proved by induction on the order of the path on which the 
formula occurs. 

For a main path (order 0) this is an easy consequence of Lemma 6.2.13. Consider 
a path (@ of order n+ 1, by definition of order, @ concludes on a path (’ of order n. 
It is now sufficient to use Lemma 6.2.13 and apply the inductive hypothesis on (’ 
to obtain the thesis. oO 


Corollary 6.2.17 (Separation Theorem) The only rules applied in a normal de- 
duction of G; Fp: are relational rules and logical rules for connectives occurring 
in formulas of T and vp. 


Proof. Follows immediately from Corollary 6.2.16. Oo 


6.2.5 NJ-LTL” Normalization 


In this section we examine the normalization for the intuitionistic version of the 
system, we will consider the full set of connectives. 

The arguments will follow the same pattern of the classical case but we will 
obtain different and more interesting consequences. 


Proposition 6.2.18 Given an NJ-LTL” deduction 1 with cr(m) = (n,1) for some 
0<n<uw, exists an equivalent deduction 7 with cr(m) < cr(m). 


Proof. The proof proceeds along the same lines of the proof of Proposition 6.2.9, 
the only difference is in the inductive case where we can also have reductions for 
V,© and _L. 
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e If « concludes with a rule (L¢) whose main premise stands on a maximum 
segment, 7 must be of shape 


a 
iL py. | | ™ 
DP ( é) piv cae ‘Dnt Wn (p) 
Po: W 
where (p) is an elimination rule. 
Then take 
Pe 
2 ale 
T= le 
Po: W (Le) 


where 7’ is x’ if cr(z’) = 0 and the deduction obtained by inductive hypothesis 
applied to z’ otherwise. 


Clearly cr(7) = cr(z’) < cr(z). 


e If w concludes with a rule (Ve) whose main premise stands on a maximum 
segment, 7 must be of shape 


| x! Ip: yi] |p: pal 
D: Pi [7 | 
(Vr) : : 
DPD Pr V Ye PoP po: Y (Ve) 
Po: W 


Then take 7’ as a’ if cr(z’) = 0, the deduction obtained by application of the 
inductive hypothesis to 7’ otherwise. In the same way define 7’. 


Finally take 


and by Lemma 6.2.6 we have 
cr(#) = er(my{7'/p: pit) 
max{cr(7’), er(7/), (lil, ~) } 


max{er(x'), or(77), (Ie1 V al 1) } = er(). 


A |A 


e If 7 concludes with a rule (¢) whose main premise stands on a maximum 
segment, by hypothesis on cr(), such premise must be conclusion of a (7). 
Hence z has the following shape: 
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Now define 7’ as a’ if er(z’) = 0, the deduction obtained by application of the 
inductive hypothesis to 7’ otherwise. In analogous way define also 7”. 


Now we can take 


and by Lemma 6.2.6 we have 


cr(7) er(a"{7'/p: p}) 
(7"), cr(#’), (lp ,w) } 
max{cr(7”), r(x’), (|O y| , 1) } = er(z). 


A IA 
= 
ie¥) 
m 
as 
° 
4 


O 
Corollary 6.2.19 For any NJ-LTL” deduction 1 with cr(7) < (n,w) for some 
n<w exists a normal deduction 7 equivalent to 7. 


Proof. The proof easily follows by induction on cr(7) using Proposition 6.2.18 and 
Lemma 6.2.7. O 


Proposition 6.2.20 (Normalization) For each ILTL” deduction exists an equiv- 
alent normal deduction. 


Proof. As in Proposition 6.2.12 using Corollary 6.2.19 instead of Corollary 6.2.11 
O 


6.2.6 Consequences of normalization in NJ—LTL” 


Lemma 6.2.21 (Structure of normal proofs in NJ—LTL”) 
Let m be a normal NJ-LTL” deduction and 00,01,..-,0n a path in m where the 


formula in each o; is p;. Then exists i € 0..n such that o; is the minimum segment 
of the path, 1.e. 


e each a; in the I part of the path (i.e. such that j < i) is the major premise of 
an elimination rule and pj4; 18 a subformula of p;; 


e citheri=n or p;: yj is premise of an introduction rule or a (Le) rule; 


e each p;: py; in the E part (i.e. such that i < j) of the path is the conclusion of 
an introduction rule and pj41 18 a subformula of ;. 


Proof. Follows easily from the observation that in a normal deduction we do not 
have maximum segments. Oo 
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The only slight difference respect to the standard result is that in this case 
segments span also through relational rules. 


Lemma 6.2.22 Consider a normal NJ-LTL” deduction x of G;- p: yp and a path 
O1,---;0n in 7. Let ao, be the minimum segment of the path and —y,..., Pn the 
formulas associated to 01,...0, respectively . Then 


e either k = 1 and o, is discharged by an application of (Le) or for each j < k 
yp; ts in the assumption part of (T, vy); 


e yy is in the assumption part of (C1, y) and either yp, = L or yy is also in the 
conclusion part of (T, ~); 


e for each j > k, py; is in the conclusion part of (1, y). 


Proof. The proof proceed by induction on the order of the path. o 


Corollary 6.2.23 (Subformula property) Every formula occurring in a normal 
deduction of G;F p:y is a subformula of some formula occurring in TU {p: yp}. 


Proof. Proceed by induction on order of paths applying Lemma 6.2.21. Oo 


Corollary 6.2.24 (Separation Theorem) The only rules applied in a normal de- 
duction of G; UF p:y are relational rules and logical rules for connectives occurring 
in formulas of T and gy. 


Proof. Consequence of the subformula property. Oo 


Theorem 6.2.25 (Consistency) The system NJ-LTL” is consistent. 


Proof. Follows immediately from T Fyy-trte p:-p = > T Fut p:y and from the 
consistency of NK-LTL”. oO 


Corollary 6.2.26 The system NJ-LTL is consistent. 


Proof. Immediate from consistency of NJ-LTL® and from Proposition 6.1.6. oO 


To establish constructive properties in the intuitionistic case we have to get rid 
of “useless” application of (w). 


Lemma 6.2.27 For any normal NK-LTL” deduction 7 exists an equivalent normal 
deduction 7 in which each occurrence of (w) has relational premise of infinite length. 
Moreover if 7 is an intuitionistic deduction, so is also 7. 
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Proof. We inductively build a new proof replacing occurrences of (w) whose rela- 
tional premise is of finite length n with its n-th logical premise. More precisely, 
consider a subdeduction 7’ of 7 


[p=] ade 
,_ pR*q ry ri see fei 


a Tri QPp 


with relational premise (p R* q) of finite length. Let G’ be the set of relational 
formulas discharged by some rule occurring in 7 below 7’. 

By Proposition 3.4.6 we can find two sequences So,..., Sn and €p,...,€, such 
that G,G'F so = p,en = 4, 8; = &;, 8; Re;4, for lO <i <n and for allO <j <n. 
Now we can build a deduction 7” equivalent to 7’ as follow: 


[p R si]--+[Sn-1 BR Sn] [Sn = 4] 
| Tn{$1/P1,--+;8n/Pn} 


rip 
T= moe 1) 


where (p) are relational rules discharging the assumptions p R s1, 51 R 82,..., 
Seo Sh Sh = @: Oo 


Remark 6.2.28 The analogous of the propositional disjunction property in tempo- 
ral logics does not hold directly, we have to strengthen the assumptions to consider 
only proof contexts in which does not appear connective ©. 

This is due to the fact that we can prove intuitionistically Op pV OOyw as 
testified by the following deduction 


lq R* | wel oy) 
la=pl] lay] paid — GOR ‘. 
DP re p.OO~P (Vz) 
[p R* ql peVoop PCVOCe < 
DOoyp De NO) () 
PPVOOY 2 


Corollary 6.2.29 (Disjunction Property) Let T be such that no y inT contains 
a strictly positive subformula with V or © as principal sign and let G be a set of 
relational assumptions that does not contain the R* symbol. 


TfG;TE p:giV ge thenG;T EF p:y;, for somei € {1,2}. 


Proof. Consider a normal deduction a of G;I’ F p:y1 V go, using Lemma 6.2.27 
we can assume without loss of generality that the only occurrences of (w) in 7 have 
relational premise of infinite length. 

By the property of normal deductions, the last segment of each main path must 
be 
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e either a formula in I’, but this is impossible since no formula in I’ contains a 
strictly positive subformula with V as principal sign; 


e or the conclusion of an elimination rule, but also this is impossible since, by 
6.2.22, this would imply that vy, V Ye is in the conclusion part of I; 


e or the conclusion of a (L¢), but in this case we would have a deduction of 
G;T + L and trivially also a deduction for G; TF p: y;; 


e or the conclusion of an (Vz) rule. 


So it is sufficient to consider the last case. 

Now the only rules that may occur below such occurrence of (Vz) are indirect 
rules, hence either a relational rule or (O¢) or (Ve). Applying Lemma 6.2.22 we 
know that if (©¢) (respectively (Ve)) appears below (Vz), then ©w (respectively 
V1 V w2) appears in the assumption part of ([, y1 V v2). Clearly, the main premise 
of such indirect rules cannot be discharged by a rule below (Vz) (there are no intro- 
duction rules below (Vz)), hence such premise (either Ow or v1 V v2), must be in 
the conclusion part of I’, contradicting the assumption. 

So the only rules that may occur below (Vz) are relational rules, moreover these 
must be different from (w), since the only (w) in 7 have premises of infinite length 
and no rule below (Vz) may discharge a premise of infinite length. 

Summarizing, 7 will be of shape 


where (p) are relational rules different from (w). 
Finally proceeding by case analysis on the possible rules in (~) we immediately 
build a new deduction 


proving G; [TF p: yj. Oo 
Corollary 6.2.30 Let T such that no y in T contains a positive subformula with V 
or > as principal sign and G that does no contains R*. 


[fG;TEpog thenG;T Fk p:o"y, for some n. 


Proof. Proceeding as in the first part of the proof of Corollary 6.2.29 we can con- 
clude that 7 is of shape 
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where (p) are relational rules different from (w) and discharging the assumption 
q R*r. 

Now, apply Proposition 3.4.6 to find a pair of sequences qo,..-,n; --->G, and 
proceed by induction on n. 


e for n = 0 we have that q and r are equal so that we can prove q: 9; 


e from gn_-1 R gj, and qi, equal to r we immediately have a proof of gn_1: Oy 
and applying induction hypothesis also a proof of g:O” y. 


Finally using relational rules (p), from q: O”" y we obtain p: 0” y. Oo 


Corollary 6.2.31 (Existential property) Let [ such that no y in T contains a 
positive subformula with © as principal sign and G that does not contain R*. 


Ifft p: Oy thenT tk p:O" yV-:-Vp:0'" y, for some set of indexes i1,..., in. 
P 


Proof. The proof is similar to the proof of Corollary 4.3.9 using Corollary 6.2.30 
instead of Corollary 4.3.8. Oo 


6.3. Elimination of (w) 


We now show that, under some condition on the shape of judgments G;I F p:y, 
we can obtain a normal NK—-LTL deduction starting from a normal NK-LTL” de- 
duction. The same fact can be proved both in the classical and in the intuitionistic 
case. 


Proposition 6.3.1 Let G;I- p:y be a provable judgment in the A, >, 0,0 frag- 
ment of NK-LTL”. Assume that 0 does not occur in the conclusion part of . F p: ye 
and no assumption of shape p’ R* p" occurs in G. 

Then exists a normal deduction x of G;- p:y such that no occurrence of (w) 
int has a premise of infinite length. 


Proof. By Proposition 6.2.12 exists a normal proof 7 of G; ' p: y. By assumptions 
on the connectives occurring in + p:y and by Lemma 6.2.22, we know that no 
(Gz) may occur in 7. This fact plus the assumption on [ immediately gives that 
each relational formula in 7 is of finite length. Oo 


Corollary 6.3.2 Let G;[ | p:y be a provable judgment in the A, >,0,0 fragment 
of NK-LTL”. Assume that 0 does not occur in the conclusion part of [ F p:y and 
no assumption of shape p’ R* p” occurs in G. 

Then exists a normal NK-LTL deduction of . F p:. 


Proof. Follows immediately by Proposition 6.3.1 and Lemma 6.2.27. Oo 
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Proposition 6.3.3 Let G;IF p:y be a provable judgment in NJ-LTL*. Assume 
that O does not occur in the conclusion part of . F p:y, © does non occur in the 
assumption part of 1 p:~ and no assumption of shape p! R* p" occurs in G. 

Then exists a normal proof x of G; + p:y such that no occurrence of (w) in 
has a premise of infinite length. 


Proof. By Proposition 6.2.12 exists a normal proof z of G;[ p: y. By assumptions 
on the connectives occurring in G;[’F p: y and by Lemma 6.2.22, we know that no 
(Oz) or (Og) may occur in 7. This fact plus the assumption on I immediately gives 
that each relational formula in 7 is of finite length. Oo 


Corollary 6.3.4 Let G;T + p:y be a provable judgment in NJ-LTL*. Assume 
that O does not occur in the conclusion part of . F p:y, © does non occur in the 
assumption part of 1 p:~ and no assumption of shape p' R* p" occurs in G. 

Then exists a normal NJ-LTL deduction of G;T F p: y. 


Proof. Follows immediately by Proposition 6.3.3 and Lemma 6.2.27. Oo 


Chapter 7 


Temporal A—calculus 


Following ideas presented in [DP96] and in [Dav96], in this section we introduce a 
computational interpretation of the two modal operators of intuitionistic Small Tem- 
poral Logic. The resulting calculus will be a proper extension of the simply typed 
lambda calculus augmented with operators to deal with O and O types. Standard 
properties such as normalization and Church-Rosser are established for this new 
calculus. 

We introduce a reduction semantics based on a “staged” reduction strategy. This 
strategy is then shown to be meaningful with respect to staged evaluation and code 
generation. Several correctness criteria of the strategy are investigated. 

We add some basic type and recursion to our calculus obtaining a “core” pro- 
gramming language with constructs for code generation and staged evaluation. Some 
example is given to show the practical relevance of such language. 

Finally we compare the resulting language with other calculi implementing sim- 
ilar features. 


7.1 Temporal A-calculus 


Starting from the natural deduction system NJ-STL/, we introduce a term calculus 
for the —, 0,0 fragment of intuitionistic STL. 


Definition 7.1.1 (Temporal )-calculus) The sets of types and terms are induc- 
tively defined by the following clauses: 


g = aly>y|ov|oy 
to s= 2 | (Az.t) | tit, | next(t) | prev(t) | box(t) | unbox(t) 


where we used a to range over type variables, yp to range over types and x,t to range 
over variables and terms respectively. 

We will tacitly rename bound variables thus considering, instead of terms, equiv- 
alence classes of terms with respect to a-conversion (here denoted with =). We will 
denote with t{u/x} the standard substitution of term u for variable x in term t. 
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A variable declaration is a triple x:.p:p where x is a variable, yp a type and p a 
world variable. 

A typing context is a pair G;T where G is a linear set of relational formulas (cf. 
Definition 8.6.4) and TV is a set of variable declarations. 

Type judgments are of the form G;T F t:y:p where G;T is a typing context and 
t:y:p 1s a typed term. 

The formation rules for well typed terms are the following: 


G,qRqj,Trty:p 


G,qRiq;Cr typ 
Oe tarp (Rp ~~ GTEtop ~ 


. ee Sane E(q)t *\t 
G;T,a:p:ph @:p:p )#ta) SrrEop 


Gil er orp re taep G;TEtypowp G;TFuy:p 


Tr ktpodp 9) "GT rtebep 7) 
GpRglhty-gq (Or) G.pRgVFtog:p (Oz) 
G;T  next(t): Oy: p 4 G,pRq;T prev(t): y: ¢ e 
RY gel tg: pe glee ; 

Gp R* g, PP (4, ) Ra) GP q PP 9.) 
G;T + box(t): dy: p G,p R* q;0 - unbox(t): y: q 


' where for no q”, qRq" €G. 

* where eitherq Rq' € G orq =¢q/' or exists q" such that q R* q" € G and 
qe R* q' E G. 

We will denote with * the set of terms that admit type derivation in some typing 
context. 


Definition 7.1.2 >3, >. and >, are the minimal relations on X* terms such that 
for each t,u: 
(Ar.t)u >g t{u/x} 
prev(next(t)) >o ¢ 
unbox(box(t)) >, t 


The reduction relations >g,o5 and bg on X* terms are the smallest relations 
compatible with the operators of temporal A-calculus and containing respectively >, 
:>o-0nd >a: 

Finally take > as the union of bg, bo and By. We will use 3, >5, 5 and b* 
to denote the reflexive transitive closure of >g,0o,b5 and > respectively. We will 
also use >* to denote the transitive closure of >. 


Observe that we are indeed defining terms as an encoding of NJ-STL/ deduc- 
tions, we decided anyway for sake of simplicity to erase some information of minor 
importance for the calculus. More precisely we can observe the following difference 
among a deduction 7 and the corresponding term t: 


7.1. TEMPORAL A-CALCULUS 89 


X abstraction in t are not labelled with types for the abstracted variables, i.e. 
the temporal A-calculus is formulated a la Curry. 


e ¢ abstracts from the relational in 7, and this is made explicit in rules (Rp) and 
(R*) where the term in the conclusion is equal to the term in the premise. For 
sake of conciseness we also choose to summarize rules (R{), (Rp) and (Rj) in 
the single rule (R*). 


e the world at which © elimination occurs is not present in the term. Such 
information is only apparently lost since we are using a discrete linear order 


for R; 


e the world at which 0 elimination occurs is not present in the term. We are 
assuming that unbox(-) eliminates always at a world determined by the sur- 
rounding context. For instance, if unbox(t) is of type y at world p we know 
that the box resulting from t is eliminated at world p. It can be easily shown 
that, by using, next(-) and prev(-), we can recover the expressiveness of the 
logic; 


Up to the differences shown above, the reductions in temporal A-calculus closely 
corresponds to reductions in STL. 


Lemma 7.1.3 (Generation Lemma) 
Consider a relational contert G = {po R pi, p, R po,...}, a context 1, a type vy and 
a world variable p,. Then for some w, 1, 2 we have: 


G; TF x: p: pe —> 2:9: p, ET 
GDF Ax.t: p: De == P= U1 > V2 and G;T, x: yy: py F t: Wo: De 
G;T F tu: yp: py = G;TEty— yp, and G;T bk ur: py 


G;T F next(t):y:pp => ~=Ovw andG;T tv: pes 

G.I prev (): Grp, SS 0 Gnd O2P his O eps) 

G;T + box(t):y:p,p => ~v =O andG,p, R* qT rt y:g 
G;T + unbox(t): y: pp => G;T Ft: Oy: pe 


Proof. Each statement can be proved by induction on the derivations. Here we 
consider the most interesting cases. 

Consider a derivation 7 of G;I F next(t): y: pz. We have two cases, either the 
last rule in 7 is (Oz) or the last rule is a relational rule. In the former case, the 
premise of the rule is a deduction of G;[T F t: wv: pry with yg = Ow. In the latter 
case we have a derivation of G’,G;T + next(t): vy: p, and by inductive hypothesis also 
a derivation 7’ of G’,G;[TF t:w: ppi1 where py = Ow. Applying the same relational 
tule to 7’ we immediately obtain G;TF t: a: pry. Oo 
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In order to further simplify the exposition in the following we will assume a fixed 
relational context G = po R pi,p, R po,.... So instead of writing G;TF t: yp: p we 
will write only [F t: y: p. 


Proposition 7.1.4 (Subject Reduction) Temporal X-calculus enjoys subject re- 
duction, i.e. 
G;TFtiyp:pandtpu = G;TFurg:p 


Proof. Proceeding by induction on t verify that for each t and wu 
GT ROehe:~gp. = Grease 


GG; prev(next(t)):g:p = > G;T Ft y:p 
G;T F unbox(box(t)):y:p => G;T Ft: y:p. 


The statement then follows by induction on the derivation of t > uw. Oo 


7.1.1 Strong Normalization 


We now define a map from temporal lambda calculus terms to simply typed lambda 
calculus term that we will use in the following to prove some property of the calculus, 
in particular strong normalization. 

Let T5, Ty be type variables not in the set of types of the temporal A-calculus and 
Xo, £q variables not in the set of variables of the temporal A-calculus. Define a map 
".7 that takes A? types to simply typed \ calculus types and temporal A-calculus 
terms to simply typed A-calculus terms: 


rote @ 

7) a yy) — Rag eae Paes 
TO yy = Le = Pay 
Towl = Ts Ty 

Crate 
Die eas Neer 
ty | _ TeWa 
next(t)' = Agro.) 
prev(t)' = 't'to 
“box(t) Miami 
Pyne 6)! =. ela 


".1 trivially extends to contexts via "T'' = {z:"y'| a: y:p € TH. 
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Lemma 7.1.5 The map'-' preserves types, more precisely 


GT Pher pn SP ieioteta rite 


where at the right of the implication + denotes the typing relation of the simply typed 
lambda calculus. 


Proof. We build a derivation of "T!, %5: 75, #9: Ty F Tt ':"y! proceeding by induc- 
tion on the size of the derivation of G; TF t: py: p. 

If the derivation of t: y: p concludes with an axiom, then t = x and x: y:p € Tso 
immediately applying the rule for axiom of simply typed A-calculus, "TF a#:"g1. 

If the derivation of t: y: p concludes with (Rel), we have as premise a derivation 
of G,G’; Ft: py: p, hence, by induction hypothesis also a derivation of "T+ t:"y |. 

If the derivation of t: y concludes with (Oz), we have y = Ow, t = next(u) and 
we have as premise a derivation of G,p Rq;T - u:w:q. By inductive hypothesis 
DETut: wand, using (7) also F 'tt: "yp. 

The remaining cases are similar. Oo 


Lemma 7.1.6 For any \" terms t and u 
rtHu/x}) =_ tru /z} 


Proof. By induction on t. 


e ift=z we have “t{u/z}'="ul="t'{"u Va}; 
cir ywithwe?Z y then Husa aS ae 
e if t= Ax.to, we have 


Ce a ES aa = eg ee aS ea 


e if t = Ay.to, we choose a variable z not occurring in t or u and obtain 


Tt{u/ay = "(Az.tot2z/y})tu/ap =" Az.to{z/y}tu/ay" 
Az! to{z/y}{u/a} =o rz.to{z/y} {ou Vax} 
CAz.to{z/y} {Tu Var} = tou Va} 


where the fourth equality is given by the inductive hypothesis. 


the remaining cases follow similarly. Oo 


Lemma 7.1.7 The map "-" preserves reductions, more precisely, given \* terms t 
and u, 

tou => Tt'pglu' 
where >g on the right of the implication denotes 3 reduction in the simply typed 
A-calculus. 
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Proof. We build a derivation of '¢' >, "wu! proceeding by induction on the deriva- 
tion of t > u. 
For the base cases we have three possibilities: 


e ift >g u, it must be t = (Az.to)t, and so, by Lemma 7.1.6 


TET = (Atty Tt >g Wty {ty Va} = to{ty/e}2 =u 


e ift >, u, it must be t = prev(next(to)) and so 


£1 = (Ago. to ato >g tp = Tut 


e ift >, u, it must be t = unbox(box(to)) and so 


Fé) = (tg. ty Naty >g “tp = Ou 


If t * u we still have several cases according to the outermost operator in t. 
Consider for instance the case t = Ax.to, u = Ax.ug and to & up. By induction 
hypothesis "tg ' > "ug ' and so also 


rp =e ig ite (Ae ig) =a 
The remaining cases are similar. Oo 
For sake of completeness we also prove the converse. 


Lemma 7.1.8 Given a well typed \7 termt and terms M,N with "t= M, 


Mtg N => du such that"u'=N andt>u 


where >g on the left of the implication denotes 3 reduction in the simply typed 
A-calculus. 


Proof. We define u and a derivation of t > u proceeding inductively on the deriva- 
tion of M bg N. 

The basic case is given by M >, N, then M = (Axv.M,)Mo,N = M\{M2/z}, 
and we can have the following cases: 


e t= (Ax.t))to with "t,'= M, and "tz'= Mo, then we can take u = t){to/x} 
and obviously t >, u; 


e ¢ = prev(next(t1)) with "t,1= M; and Mz = xo, then we can take u = t; and 
we have t >o u; 


e ¢ = unbox(box(t,)) with "t;'= M, and Mp = zp, then we can take u = t, 
and we have t >, u. 
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If M # N proceed by cases on the structure of t. oO 
Theorem 7.1.9 (Strong Normalization) Temporal -calculus is strongly nor- 
malizing. 

Proof. Assume by contradiction that exists an infinite sequence of terms to, t;,...in 
A” such that to > t; > ---, then by Lemma 7.1.7, we also have “ty! Bg "ti 1 Dg -:- 
contradicting the strong normalization of simply typed lambda calculus. O 


7.1.2 Confluency 


In the following we sketch the proof of Church-Rosser property. Since the technique 
is completely standard we will skip most details. 


Lemma 7.1.10 >g,0o6 and bp are substitutive, i.e. Vt,t!, u: 


thet = Huss} bet tus} 
teet -=——> Hajebeet tact 
that = dufebor tte 


Proof. The proof for >g can be found in [TS96], the proofs for >> and by are 
essentially equal. Here we sketch the bo case. 

Proceed by induction of the size of the derivation of t >, t’. If t >, @’, then 
t = prev(next(t’)) and clearly t{u/x} = prev(next(t’{u/r})) > t'{u/a}. 

If t #5 t’ proceed by case analysis on t. For instance if t = box(to), t’ = box(t)) 
with to bo tp, by inductive hypothesis to{u/rz} bo to{u/r} and immediately 
t{u/x} = box(to){u/r} bo box(to){u/z} = t' {u/c}. Oo 


Lemma 7.1.11 Dg is weakly Church-Rosser, i.e. Vt, t', t” 


togt’ andtogt” — Ju such that t’ osu andt’ psu 
B B B B 


Proof. A proof can be obtained by a trivial extension to the standard proof for the 
simply typed A-calculus (see [TS96]). oO 


Lemma 7.1.12 >o and >, are weakly Church-Rosser, i.e. Vt, t,t” 


ibet andi sgt — 
(Set 212 eSeor SS 


u such that t >S u andt" BS u 
u such that t’ o* u and t"” >* u 


Proof. The proof of the second statement is equal to the proof of the first statement 
up to renaming of prev(next(-)) redexes in box(unbox(-)) redexes. So we consider 
only the first statement. 

The case in which the redex are disjoint is trivial, in the other case we can assume 
without loss of generality t = prev(next(t’)) (the remaining cases are easily handled 
by induction on t). Then we will have, either t” = t’ and so we can take u = t! = t” 
or t” >> prev(next(s)) with t/ > s and so we can take u = s. Oo 
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Lemma 7.1.13 >%,>% and >§ commute each other, i.e. Vt, t,t” 


ts tandt>st” = > du such that t' DS u and t” DAU 
tbs t andto* t” = Ju such that t’ >* u and t” be u 
Coit andt est” =: au sich thatt oyu andt’ BF uv 


Proof. To prove each of the statements it is sufficient to prove the weaker 


t,t’ andt 2 t” => Ju such that t’ >5 u and t” bf u 


for each pair (1,2) of reduction relations. This can be easily proved using substitu- 
tivity property of >g,>o and by. The three statements can be proved in similar 
ways, here we prove explicitly only the first statement. 

As usual if t’/ and t” are obtained by contraction of disjoint redexes we can obtain 
u contracting both redexes. Let us consider the remaining cases. 


e ift = (Av-to)ti,t = to{ti/x} and t” = (Ax-t>)ti, we can take u = to{t,/z}, 
indeed, by substitutivity of >, from to > tg we also have to{t:/x} > to{ti/z}; 


e if t = (Az.to)ti,U = to{ti/r} and t” = (Az.to)t), we can take u = to{t}/z}, 
indeed, it is easily seen by induction on to, to{t:/x} >* to{t)/x}; 


e if t = prev(next(t”)) and t’ = prev(next(s)) with t” > s, simply take u = s; 


e in the remaining case we can proceed by induction on t. Oo 


Lemma 7.1.14 (Hindley—Rosen) Let R, and Ry be two relations on a set X. 
If Ry commutes with itself, Ro commutes with itself and Ry commutes with Ry 
then (R, U R2)* is Church-Rosser. 


Proof. See [Bar91]. Oo 


Lemma 7.1.15 (Newman) R is strongly normalizing and weakly Church-Rosser 
implies R is Church—Rosser. 


Proof. See [Bar91]. Oo 


Theorem 7.1.16 (Church-Rosser) > enjoys the Church-Rosser property. 


Proof. By weak confluency of >g, >> and >, and by strong normalization, an ap- 
plication of Newman’s lemma yields confluency of >g, >> and >. From Lemma 7.1.13, 
and confluency of relations >g, >> and >, we obtain the thesis using Hindley-Rosen 
lemma. Oo 
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7.2 Multi stage Interpretation 


In recent years several works ([Dav96, DP96, Dan96, DP99, GJ97, MTES99, TS00, 
WLPD98]) have addressed the problems related to multi-staged evaluation and code 
generation. 

The motivations leading to such paradigms are mainly applicative, several com- 
puting activities are naturally organized in stages and computing in such stages 
often requires execution of code generated in previous stages. 

Typical examples are the following: 


e compilation may be seen as a process carried out in two stages. In the first 
stage a grammar is given as input to a compiler generator. The output of 
the first computation is code for a compiler that, in a second stage, is eval- 
uated with a source language input. Finally evaluation of the target code is 
performed in a third stage. 


e partial evaluation is another activity involving more than one evaluation stage. 
Suppose we are given a program P computing function f:X — Y — Z, it 
can be the case that P will be evaluated many times with a first input x: X 
known a priori. We can then specialize P on the first input to a more efficient 
program P,, computing f(a) . Also in this case the computation takes place 
in two stages and the first one involves code generation. 


e macros in programming languages can be also seen as a computation per- 
formed during compilation. Among the languages in which macros are most 
extensively used we have LISP (see [Sus82]) and Scheme (see [ADH*98}). In 
these two untyped languages the distinction among code and data is blurred 
and it is possible to build at runtime expression whose evaluation will be de- 
layed. In particular in Scheme a pair of operators can be used to prevent 
evaluation of expressions (quoting) and to substitute expression values within 
quoted expressions (unquoting). 


These mechanism are expressive enough to tackle with most issues arising from 
staged evaluation. Nevertheless the lack of a type system leave the whole re- 
sponsibility of the well-formedness of expressions on the programmer making 
the construction of multi-staged programs particularly difficult. Other prob- 
lems with these languages arise from the fact that quoted expressions do not 
behave correctly with respect to a equivalence, i.e. within quoted expressions 
it is not implemented the so called “hygienic substitution”. For a throughout 
introduction to Scheme as a staged language see |]. 


From such scenarios comes quite naturally the need for a language in which the 
whole computation can be formally described with a uniform clean methodology. 
The system underlying this programming language should provide means to specify 


96 CHAPTER 7. TEMPORAL A—CALCULUS 


the order in which evaluation of program fragments take place and moreover provide 
means to describe code generation and evaluation. 

Such language can be seen both as a programming language in which the pro- 
grammer specify the computations steps with the aid of the type system and as an 
intermediate low-level language used for instance by binding time analyzers. In the 
following we will focus on the first application. 


7.2.1 Interpretation of modal types 


We now discuss a computational interpretation of the two modalities of the tempo- 
ral A-calculus. From the theoretical point of view this extends the Curry-Howard 
isomorphism to a significant fragment of temporal logic, from the practical point of 
view this gives directions in the design of programming languages for multi staged 
computation. 

We consider the type Oy as the type of code, that evaluates to values of type 
wy. The axiomatization of $4 fit perfectly in this setting, since we have: 


Necessitation: from y we can derive Oy, can be interpreted as the possibility of 
building code from closed expression. Obviously this is not possible for open 
expression, and this guarantees that code can does not depend on the context 
in which it is built. 


Axiom K: O(y > ww) — Oy — Ov, gives us the possibility of composing code, 
i.e. given a code for a function and code for its argument we can compose the 
two to obtain code for the result. 


Reflexivity: Oy — y, gives the possibility of evaluating code of type O y to obtain 
values of type y. 


Transitivity: Oy — Oy, gives the possibility of building code whose evaluation 
results in code. 


We interpret the type Oy as a specification of the time at which a value of 
type y will be available. Assuming, that the computation proceeds in stages and 
these stages are linearly ordered, the world variables in type judgments give a con- 
venient way to refer to such stages. Again the axiom for © in STL fit well in this 
interpretation: 


Axiom K: O(y > vw) — Oy > Ov7, interpreted as terms living in the same stage 
can be freely composed. 


Linearity: (Oy — Ow) — O(y — w), interpreted as the possibility to delay 
computation pertaining later stages. 


Finally the interplay among modalities reflects the execution model we are de- 
scribing, indeed, from 0 y > O”" Oy, we have that code can be used any stage. 
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7.2.2 Reduction Semantics 


We now give a call by value reduction semantics in which term t is reduced to a 
value v that can be either a value for this stage or a term whose evaluation should 
continue in the next stage. In the latter case the value v will be in the form of 
next(t’) and t’ will be the “continuation” for the next stage. 

From the considerations above, it results that the definition of values has to be 
given with respect to the stage in which the term lives. It is clear that a lambda 
redex must be reduced if occurring at the initial stage but not so if occurring in a 
later stage. So we will divide values according to the “level at which they live”. 


Definition 7.2.1 (Values) The set of values V is the subset of well typed terms 
given by the union of V;,i € N, where sets V; are defined by induction as follow: 


Yo o2= Azx.t | next(v,) | box(t) 
VY, = Aa.t | vv, | next(ve) | box(t) | unbox(v,) 
Vngr = Ax | UnasiUn41 | next(Up+e2) | box(t) | unbox(vp41) | prev(vn) 


where n > 0, v4 ranges over V; and t ranges over X". 


In principle the substitution of code for variables is a different action respect the 
substitution of other values for variables. A machine implementing code emission 
should probably perform several specific actions related to code management when 
pasting code within other code and within evaluation constructs. In particular 
box and unbox statements occurring in terms to specify code boundaries should be 
eliminated as soon as they are not needed any more. 

To deal with this aspect of evaluation we explicitly define a notion of substitution 
for code. 


Definition 7.2.2 (Code Substitution) The substitution of code for u within t in 
place of x is denoted tlu/x| and is defined as 
tfu/2] t{y/unbox(x)}{u/a}{u'/y}  afu = box(u’) 
jx) = 
t{u/x} otherwise 
where y is a variable not occurring free neither in t nor in u and, with abuse of 
notation, we wrote t{u/unbox(x)} for the natural extension of the operation t{u/x}. 


In words, if u = box(u’) for some u’, tlu/ax] is obtained by replacing each occurrence 
of unbox(x) with u’ and each other occurrence of x with box(z). 


In the previous definition, in order to keep things simple, we also considered the 
case in which x occurs free in u, nevertheless in the following we will never need to 
consider such case. 
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Observation 7.2.3 Given AT terms t and u, we have either 


tlu/a] =t{u/x} or t{u/z} bp t[u/z] 


Can be proved easily from the definition of code substitution. 


Lemma 7.2.4 (Substitution Lemma) Assuming / u:w:p andT,a:wt t:y:¢ 


we have 

CF tlu/z]: y: q 
Proof. follows immediately from the substitution lemma for the standard substi- 
tution, from Observation 7.2.3 and from Proposition 7.1.4. Oo 


Finally we are ready to define the reduction semantics. We will use a natural 
semantics (see for more details see [Gun92]). 


Definition 7.2.5 (Staged Reductions) 
The family of reduction relations {4,| n € N} is inductively by the following rules: 


Stage 0: 


to det! uu! t[u'/ a] os 


Nat > Art ; 
tu s 
pes 0 t > box(u) uu 
— box(t) — box(t) ae co ra 
0 C7 
next(t) — next(w) unbox(t)  u 
Stage n+ 1: 
tte tu oe uw Sw 
het S dru tu oS tu! 
n n+ 0 
teu tu t > next(u) 
next (t) oY next (u) prev(t) sas prev(u) prev(t) Su 
n+1 
box(t) ar box(t) cau 


unbox(t) a unbox(u) 


Some observation about the rules are in order. First we can divide evaluation 
rules according to the stage they pertain. As a first approximation, at stage 0 we 
deal with unquoted (not within next(-)) terms, whereas at stages greater than 0 we 
deal with quoted (within some number of next(-)). 

We can easily see that 3 reductions occurs only at stage 0, O reduction occurs 
only at stage 1 whereas 0 reductions may occur at level 0 or at any other level if 
triggered by a @ reduction. 

We briefly discuss the two groups of rules. 
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Stage 0: the — fragment of the calculus is treated as in the standard reduction 
semantics for call by value lambda calculus. The only difference is due to 
code substitution that permits reduction of unbox(box(-)) redexes resulting 
from the evaluation of an application. Observe that that if unbox(box(u)) is 
already a subterm of either ¢ or ¢’, it is not reduced by the evaluation of tt’. 
As usual we do not have a rule for evaluation of variables. 


Moreover we have rules for the evaluation of 0 redexes but not rules for 
the evaluation of O redexes, indeed in a well typed term we cannot have a 
prev(next(-)) redex at level 0. 


Stage n+ 1: the rules for \ and for application evaluate their subterms and rebuild 
a term from the result of the evaluations. This is needed since occurrences of 
prev(-) in the term could lower the level to 0 and require in this way the 
evaluation of subterms. 


The same approach is taken to deal with the unbox(-) operator, whereas terms 
quoted by a box(-) operator are left unevaluated. 


Observe that we now need a rule for variables since at stages greater than 
0 we evaluate under lambdas, consider for instance the evaluation of term 
next(Az.x). 


Finally we deal with next(-) ( prev(-) ) either raising (lowering) the evaluation 


index, or reducing © redex when at stage 1. 


In the following we will also use the more standard notation ¢t |} uw instead of 
0 
tu. 


Example 7.2.6 By previous description it is clear that the temporal reduction 
strategy permits the evaluation of terms under A abstractions by two different mech- 
anisms: 


e using construct prev(-) when the A is quoted by a next(-) construct. For 
instance assuming t is a term such that t J} next(u), then redexes in t are 
reduced when evaluating next(Az. prev(t)): 


to next (wu) 
1 
prev(t)  u 
Ax. prev(t) dru 
next (Az. prev(t)) a next (Az.u) 


In this case we have a reduction for the prev(next(t)) redex plus any reduction 
resulting from the evaluation of t at stage 0. 
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e using code substitution when a @ reduction involves a code object. For instance 


(Az.Ay. unbox(x)) 4} (Av.Ay. unbox(2)) (Ay. unbox())[box(t)/a] ) Ay.t 
(Ax.Ay. unbox(x)) box(t) 4) Ay.t 


since (Ay. unbox(x))|box(t)/z] = Ay.t. 


In this case we have only reduction of temporal redexes resulting from code 
being substitute in place of variable within a unbox construct. 


O 
Proposition 7.2.7 Each relation <“, is a reduction strategy, t.e. for each t and u 
tou = tp*u 


Proof. We proceed by induction on the depth of the derivation of t % u. 

In the base case the derivation is constituted by a single rule, then t = u and 
obviously also t &* wu. 

For the inductive case proceed by inspection of the last rule of the derivation: 


e If the last rule is the application rule at level 0 we have 
t=tit. UAbAee, Bl a [to/alAu 
By inductive hypothesis we also have 
toe Art. wet, <Glaa Sa 
Hence by Observation 7.2.3 


$St OS * (AG1 6 be 4te/a} be ale /e) eu 


e if the last rule is the prev(-) rule at level 1 we have t os next(u) and by 
inductive hypothesis also t >* next(u) therefore 


next(t) >* next(prev(u)) >o u 
e if the last rule is the box(-) rule at level 0 we have t ey box(u), u oul and, 
by inductive hypothesis, also t >* box(u), u &* u’. Hence 


unbox(t) >* unbox(box(u)) bg u b* u’ 


e the proof for the remaining rules follows the same pattern used in the previous 
case simply using the inductive hypothesis. Oo 


The converse does not hold. Consider t = Ax.((Ay.y)x) and u = Az.x, since 
both ¢ and wu are values, we have ¢ |} t and u J} wu whereas t >* u. This mismatch 
is essentially due to the fact that > is defined as a compatible relation respect the 
operators of the temporal A-calculus, so we can reduce under each context. 


7.2. MULTI STAGE INTERPRETATION 101 


7.2.3 Correctness criteria 


Here we investigate some property of the staged reduction semantics. These will give 
some insight of the relevance of the staged reduction strategy for staged evaluation. 


Corollary 7.2.8 (Subject Reduction) Given a \" term t and contert T such 
that Ite p 

tou=— Tru: yp: p 
Proof. Follows easily by Observation 7.2.3 and by the fact that > enjoys subject 
reduction. O 


The next proposition shows that the definition of value at stage k agree with the 


ok 
reduction relation —. 
k 
Lemma 7.2.9 (Value Lemma) For each t,u€ \7 tou => we Vy. 


Proof. We proceed by induction on the derivation of t Hu, 
k 
If the derivation of t — u contains a single rule, then u must be either x or Ax.u’ 
or box(u’) and we have immediately u € Vy. 
For the other cases we have the following possibilities: 


e if t = toug and k = 0, we also have derivations of to an Ax.th, Uo &, ug and 


thal far] > wu. By inductive hypothesis, the last derivation give us u € Vo; 
olUo 


e ift = next(to) and k = 0, we also have a derivation of to aa uo and by inductive 
hypothesis we have uo € V,. By definition of Vo, immediately u = next(uo) € 
Vo; 


e if t = unbox(to) and k = 0 we also have derivations for t ul box(uo) and for 


Uo Ou. By inductive hypothesis on the second premise, u € Vo; 


e if t = prev(to) and & = 1 we also have a derivation of to a next(u), so by 
inductive hypothesis, next(u) € Vo and by definition of Vo, u € Vi; 


e the remaining cases follow immediately by inductive hypothesis and by defi- 
nition of values. Oo 


Remember that we will work in the fixed relational context G = {pp R pi,pi R 
p2,...}. The following proposition relates the static semantics with the dynamic 
semantics. It shows that, given a term t, if its evaluation involve the evaluation of 
a subterm u at stage k, then u is typed at world p;,. This will also justify our abuse 
of word stage when referring to world variables. 
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Proposition 7.2.10 Consider a \7 termt and a context [ with + t:y: pp. Con- 


k h oy 
sider also a derivation x of t — u, then for each t! — u! occurring in mt there exists 
a conteat I’ such that T,T’ + t': wy: p,. Moreover I’ does not contain variables at po. 


Proof. We proceed by induction on 7. 

If z is the trivial derivation there is nothing to prove. 

Consider now the case that 7 is not the trivial derivation, we show that for each 
premise t’ ”. wu! of the last rule of z exists I’ such that TD, I’ + t': —: pp, for some w. 
Moreover such I” does not contain variable declarations at po. 

So let us consider the possible rules concluding z: 


e if ¢ = touwg and k = O, then we have the premises to &, to, Uo 2, ug and 
tuo /z! ou. By Lemma 7.1.3, exists w such that TF to: — y:po and 


I + uo: w: po. For the last premise, we have by Proposition 7.1.4 and by 
Lemma 7.2.4, P+ to[ug/z]: 9: pe; 


e if t = Axv.tpo and k > 0, we have the premise tg -, uo. By Lemma 7.1.3 exist 
Wr, 1) such that Q= Wy _ We and Tx: Wi Dk f to: We: Pri 


e if ¢ = unbox(tg) and k = 0 we have the premises to “, box(uo) and uo Ou. 
By Lemma 7.1.3, [ F to: Oy: py and applying Proposition 7.1.4 and Proposi- 
tion 7.2.7 we have IF uo: y: pr; 


e if t = next(to), we have the premise to iit next(u). By Lemma 7.1.3 exists w 
with y= Ov and TF to: v: peas; 


e if t = prev(to) and k = 1 we have the premise to “, next(u). By Lemma 7.1.3, 
T+ to: OY: po; 


the remaining cases follow the same pattern. 
An application of the inductive hypothesis concludes the proof. o 


Proposition 7.2.11 (Determinacy) 


k ky ; 
touandtouw = u=nu 


Proof. The statement follows easily by the observation that given any term ¢t and 


any number k exists at most one rule concluding with t — u for some term u. =O 


Now we show that the reduction strategy is well defined from the point of view 
of termination: each evaluation eventually carry out some value. 


Proposition 7.2.12 (Definiteness of reduction) For each closed \7 termt there 
exists a AT term wu such that t 4) u. 
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Proof. Consider a \7 term ¢ and a context I such that [+ t:y:p, and assume 
that P does not contain variables at po. 


k 
We start proving that if t ps (i.e. it does not exists a term u such that t — u) 
then exists a term ?¢’ such that ¢t >* ¢’ and ¢’ fy. Proceed by induction on t: 


e if t = x, the statement is vacuously true since either k = 0 and x: y: px is in 
T,ork>Oandt St: 


e if t = Ax.ty we have two cases. If k = 0 the statement is vacuously true since 


tot. Ifk> 0, it must be that to ps so we can apply the inductive hypothesis 
to obtain a term tj and immediately we have t’ = Ax.t9; 


e if t = tot;, we have two cases according to k. If k > O either to ps or 
ty ps. Assume without loss of generality the former case, then by induction 
hypothesis we obtain tj such that to >* tj and we can take t’ = tf. 

If & = 0 we can have several cases. If to aa or ty aa we proceed as for k > 0. 

Now, by Lemma 7.2.9 and by Corollary 7.2.8, if to aa u, u must be in the form 
— : 0 0 

Ax.Uo so the only remaining case is that to @ Ax.uo, tr @ Uy and uo|ui/Z] ps. 

In this case, by Observation 7.2.3, we can take t’ = uo[u1/x]uo|ur/a]; 


e the remaining cases can be shown in the same way. 


So we proved that if t ps there exists ¢’ such that t >* ¢’, and t’ py. 

Hence if we assume the existence of a term t for which the evaluation is not 
defined, by iterating the previous argument, we can build an infinite chain t = 
to &* ty; &* +--+. This contradicts Theorem 7.1.9. oO 


Finally we show that the kind of value resulting from the computation of a term 
t is determinated from the type of t. 


Corollary 7.2.13 (Binding time correctness) 

Let t be a closed X7 term, then, for some u 

KF tOyp:po => ti next(u) EV 
Fe Op: pp => ti box(u) EV 
Ft: ppp => tlhAruEev 


Proof. The proof follows immediately from Lemma 7.2.9, Corollary 7.2.8 and Propo- 
sition 7.2.12. | 


This corollary, together with the observation that - next(w):O: po implies - 
u: ~: po, justifies the idea of continuing the evaluation of a term of type Oy at the 
next stage evaluating its “residue” u. 
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7.3 Comparison with multi staged calculi 


In this section we consider other calculi extending calculus to cope with staged 
evaluation. Among the several alternatives we choose to compare the temporal 
A-calculus with calculi \° and A", since they are, in our opinion, the most repre- 
sentative and since they provided the basis of our development. We will show that 
the temporal A-calculus fully integrates the features of both. 


7.3.1 Encoding \° 


In [Dav96] Davies define the A° calculus, an extension of A calculus whose type 
system is based on modal logic with linear accessibility relation. Davies shows the 
relevance of A° for staged evaluation by encoding in its system a fragment of the 
language used in [GJ97] for binding time analysis. 

In this section we briefly introduce A° and then we show that it precisely corre- 
sponds to the O free fragment of temporal A-calculus. 


Definition 7.3.1 (A° terms and types) The sets of types and terms of A° are 
inductively defined by the following clauses: 


yp s= aly>y|opr 
t := 2 | (Az.t) | tit, | next(t) | prev(t) 


where we used a to range over type variables, yp to range over types and x,t to range 
over variables and terms respectively. 

A variable declaration is a pair x": where x is a variable, yp a type and n a 
natural number. 

A typing context [ zs a set of variable declarations. 

Type judgments are of the form TF” t:—~ where T ts a typing context, t is a 
term, yp is a type and n is a natural number. 


The sets of terms and types of A° coincide with the sets of terms and types of 
the O free fragment of the temporal A-calculus, we use the same notation for both 
and rely on the context to distinguish among the two systems. 

The difference between our presentation and the one used by Davies lies in the 
choice on how world information are recorded in judgments. We use world variables, 
since these provide a more general tool for the description of different modal and 
temporal logics, he uses natural number since this gives a simpler system when 
dealing with a single linear modality. 
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Definition 7.3.2 (\° typing rules) 


Pao” ey 


Pare FY iep PE te Srp IF? ep 
CH” \z.t: p > wip Pe hia 


i tg PPE Ovp 
TH" next(t):Oy:p Tt" prev(t):¢:p 


Now we define a map to amend the minor syntactic differences among A° judg- 
ments and temporal A-calculus judgments. 

Remember that we are restricting our attention to judgment with a fixed rela- 
tional context po R pi, p, R po,.... 


Definition 7.3.3 "-' is a function that associates temporal X-calculus contexts to 
© contexts and X° judgments to temporal \-calculus judgments defined as follow: 


TT = {2::p, | 2*:y €T} 
Cpe tS COD Eis 
As long as we consider a the fixed relational context py) R pi,p, R po,...,'-' 


is clearly a bijective function on type judgments. We now prove that it is also an 
isomorphism with respect to typability in the two systems. 


Proposition 7.3.4 For each \° contert T, for each \° term t and for each natural 
number n : 
ela Coe aa ala Hea 
Proof. The proof will be by induction on t. Clearly for the base case we have, by 
definition of '-', 2”: y € T if and only if x: y:p, €'T". 
For non trivial deductions we treat the two implications separately. 


=> ) If t = next(u) for some u, the deduction of [ +” t:y concludes with the 
next(-) rule, so we also have a deduction of [ "*! u: w for a W such that yp = 
Ow. By inductive hypothesis we can build a deduction 7 of "TF uz w: ppt. 
The desired proof can be obtained by applying (Oz) and (Rel) to 7. 


If t = prev(u) for some u, the deduction of [ +” t:y concludes with the 
prev(-) rule and we also have a deduction of [ +” u: Oy where n = m+ 1. 
By inductive hypothesis we obtain also a deduction of 'T'F u:Oy:pm and 
applying (Og) to such deduction we obtain a deduction of 'T''+ prev(u): g: pn. 


In any other case the last rule applied is a propositional rule, then, use the 
inductive hypothesis and the corresponding rule in temporal A-calculus to 
obtain a deduction of "TF t: yp: py |. 
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<= ) If t = next(u) for some u, by Lemma 7.1.3, we have y = Ow for some w and 
TTF u:w: pny. Applying inductive hypothesis we obtain T +"t! u:. Then, 
using the rule for next(-), PF” next(u): Ow. 


If t = prev(u) for some u, by Lemma 7.1.3, we have 'T'+ u: Oy: pm where 
n = m-+1 and, by inductive hypothesis, we also have a deduction of T -™ 
u:Oy. Using the rule for prev(-) we can immediately build a derivation of 
TF” prev(u): y. 


The remaining cases can be proved in a similar way using the generation lemma 
and the typing rules of A°. oO 


The semantics of \° is defined by a transition system with the same rules used 
in the 0 free fragment of the temporal A-calculus. Therefore we immediately have 
the following. 


Proposition 7.3.5 For each X° terms t,u 
touinrs = touind 


And this justify the statement that the O-free fragment of temporal A-calculus 
and A° are isomorphic. 


7.3.2 Encoding \ 


In [DPar] Davies and Pfenning introduce a calculus based on intuitionistic logic 54 
with operators for management of closed code. In their calculus the $4 modality 
(CJ) corresponds to the type of closed code, accordingly, the 0 introduction rule 
gives the constructor for code blocks and the elimination rule gives the evaluator 
for code blocks. They give two formulations of the calculus differing in the form of 
the type system. A first explicit calculus in which the elimination rule for 0 take 
the form of a let construct; an implicit calculus whose type system is motivated by 
[Mas96, PW95] in which the elimination rule for box takes the form of an indexed 
unbox construct. 

In the rest of the section we will briefly present the explicit formulation of the 
calculus of Davies and Pfenning and then describe an encoding of this system in 
temporal A-calculus. 


Definition 7.3.6 (A° terms and types) The set of types and terms are induc- 
tively defined as follow: 


ypu= alpoy|oy 
t x | (Aa.t) | tite | u | box(t) | let box(w) = t, in te 
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where we used as usual a for type variables, yp for types, x for variables and t 
for terms. Metavariable u is used for modal variables (as we will see later, those 
occurring in modal contexts). 

An (ordinary) variable declaration is a pair x: _p where x is an (ordinary) variable 
and p a type. A modal variable declaration is a pair u:p where u is an modal variable 
and ~ a type. 

A typing context is a pair A;1 where T is a set of ordinary variable declaration 
and A is a set of modal variable declaration. Hence, a type judgment takes the form 
ACT Ritvg. 


YAN Bi eee cael tee Aue Fue 


joe) Ue pelo a A;TFts prow A;TRtiy 
A; Tb Art: yp - w A;TE toti: 
AP to MERigoe Aya DT Risse 
A;T - box(t): Oy A;T Fk let box u = t; intg: y 


A first difference we can observe among A" and the temporal A-calculus is in the 
management of modal context. In AU a set of modal variables disjoint from ordinary 
variables, and two distinct contexts are used to track the world in which a term live. 
In a temporal A-calculus type derivation, each term is explicitly tagged with the 
world at which it lives. 


We now show that as long as we deal with a single modality the two approach 
are equally expressive. In order to do this define a map from \" terms to A? terms 
preserving type derivations. 

First we need some additional notation. We will write G,, to denote the set 
of relational assumptions po R* py,...,Pn—1 R* py. Given a set of A? declara- 
tions T = {2x1:%1,-.-,%ni Yn} we will denote with [':p the set of \? declarations 
{£1: 91: D,---,2n: Yn: p} and with OT:p the set {a1: O yi: p,...,2n: y: p}. 


Definition 7.3.7 Let™-7 a map from \° terms to \" defined as follow: 


Ce =e 
ee = a 
I Lae ee t," tf" 
Py = sn box (i) 
“box(t)' =  box("t’) 


“let box(u) =tyintg' = (Au."t2')"t" 
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Proposition 7.3.8 Given a AU term t, if 
A;TEty 
then, for each n > 0 and for each partition Ap,...,An of A 
Ge DAg Des xo (Age Da Pop, Rep, 
Proof. We proceed by induction on the derivation of A;TF t: y. 


e if the last rule of the derivation is for ordinary variables, we have t = x and 
x: €T and the statement follows trivially; 


e if the derivation concludes with 


A;T, 2: & ti: pe 
A; [TF Ax.t1! Wy —? We 


by inductive hypothesis we have a derivation of 
Gn; Ao: po,---,O An: Pn Ta, 2: V1 Pa F Ut! ba: Dn 
and applying (—z) we obtain a derivation of 


Gn; O Ao: po, .--,O An: Pn, Ps pp F Av." ty 1 > Ye: Pn 


e if the derivation concludes with 
A;TRFt:w~og A; te: 
A; [TF tyta: 4) 


by inductive hypothesis we also have derivations for 


Gn Oo Ao: Po; 50 Ane Das Fi pi r Tie y 7 2: Pns and 
Ge Ao: Po; ace ml ANS se em a Vig.” W: Dn 


and applying (—¢) we immediately have a derivation for 


Gi Ag? Doyntn5 OO Pad pe a oD, 


e if the derivation concludes with 
A,u:y, Fury 


applying (Og) and either transitivity or reflexivity of R*, we immediately ob- 
tain a derivation of 


Gr; Ao: po,---,O An: Pn, u: 0 y: p;, Ps py  unbox(u): y: pp 


where 7 is any natural number in 0,..., 7; 
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e if the derivation concludes with 
A; ty: 
A; TF box(t,): 0 


by inductive hypothesis, we also have a derivation of 


Gag oO Ao: Po; .50 An: Pn ie Top W: Pn41 


and applying (Oz) and weakening we obtain a derivation of 
Gi Ag Desc te Ag Dal Dae box ff Dini. 
e it the derivation concludes with 


A;TFtq:Ow A,u:w;TE te: y 
A;T'k let box u = t; inte: y 


by inductive hypothesis we also have derivations for 


G2? tl Agee, sss IA oe Fis Fo ey. atid 
GO Ap poe OA pat Depa Tt py te tipi, 
Using (—z) and (—¢) we can now build a derivation of 


G2) Agi poy x2 Ag Dag Pig AG ie ote ee 


Corollary 7.3.9 For each X° term t and for each world variable p 
Bie: =F on 


The mapping '- | show the greater simplicity of A“ derivations respect to tem- 
poral A-calculus derivations, most information about worlds in A" derivations is 
implicitly kept in the structure of the derivation. 

Observe that some \? term never arise as map of a \" term, i.e. ™-7 is not 
surjective. For instance can be easily seen that for each t’ € X7 it does not exists 
t € X° such that "t7? = unbox(box("t’7)). 

We now briefly define the reduction semantics of \7 and show that it agrees with 
the reduction semantics of the temporal A-calculus except for minor differences. 


Definition 7.3.10 The evaluation relation |}, is inductively defined on ° terms 
by the following clauses: 


ti Yo Avt, telot, f{th/r} os 
tyte Ss 


ty Io box(t}) te{t)/u} Wo s 
let box(u) = ty intg a s 


REE A ALT 


box(t) /g box(t) 
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Lemma 7.3.11 For each AU terms t,, tz, for each ordinary variable x and for each 
modal variable u we have 


ty to yea =i ty to '/a} "ty || box(te) ul = tr{te/u}?. 


Proof. The first equality follows immediately from the observation that the term 
unbox(z) cannot appear within 't, ' since unbox(-) is used only in the translation 
of modal variables. 

The second equality follows by the observation that each occurrence of w in 
"t, | appears as argument in a unbox(-) construct and by the definition of code 
substitution. oO 


Proposition 7.3.12 For each X° terms t,s 


t sx Ttiis! 


Proof. By induction on the derivations of t 4 s and Tt!" s'. 


e the case ¢ is a variable is trivial; 


e ift = Az.t’, we have "Av.t’1 = Ax.t’” and clearly both ¢t ||, ¢t and "t" | tH; 


e ift = tito, by induction hypothesis, tz {Lg th if and only if t2 | 1) "th ‘and t, | 
Ax.t', if and only if "t; | 1) Aw."t,. Moreover x cannot be a modal variable, 
since t is a well typed AU term and the rule for \ abstraction allows only 
abstraction on ordinary variables. Hence, by Lemma 7.3.11, "¢) "t, Va] = 
rt '{"t, '/a} and applying a last time the inductive hypothesis t {}, s if and 
only if" 274)" 3) 


e if ¢ = box(t,) we immediately have t \!, s if and only if 't' |} "s’ since 
box(t,) 4) box(#,) and box("t, ') {) box("t, 1); 


e if t = let box(u) = t, int, consider separately the two implications. If t }4 s, by 
definition, t; {}g box(t) and te{t)/u} lg s. Applying the inductive hypothesis 
we have 't; | 1) box('t)'). By Lemma 7.3.11, "t. '[box("¢t) ")/u] = "te{t)/u}" 
so applying induction hypothesis "t, '[box('t) ')/u] |) s, finally, by evaluation 
rule for application, (Au."tz ')"t, 14) s. 


On the other side assume (Au." te ')"t, | 4) s’, then, by Corollary 7.2.13 and 
Proposition 7.3.8, "t, | J) box("t{ ') so that, by inductive hypothesis, also t; |) 
box(t,). Finally, since by Lemma 7.3.11 ty [box("t) ')/u] = “te{t)/u} 7, and 
since 't box("t} ')/u] 4) s’, by inductive hypothesis s’ = "sand 'to{t)/u}! 
S. O 
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7.4  Mini-MLT 


We are interested in potential application of this term calculus to staged program- 
ming languages, in order to study such applications we extent the temporal - 
calculus to a core calculus for a programming language. 

First we start with the addition to the temporal A-calculus of concrete types for 
natural numbers, pattern matching on numbers and a construct for recursion. 


nat] p> y|Oyv|Oy 
x | (Ax.t) | tite | reca.t | z | s(t) | case(t, ty, ta) 
| next(t) | prev(t) | box(t) | unbox(t) 


ip 
t 


For improving readability of terms we will add some syntactic sugar, we will write 
caset of z => t, | s(x) => ta for case(t, ty, Aw.t2) and let x = ty int, for (Ax.t2)ty. 
We also extend the type system with the following rules: 


G;T Ft: nat: p G;T 2: p:prty:p 


Te Zenat: Gah Sa 
G; z: nat: p G:T F s(t): nat: p G;T F reca.t:~ 


G;TFétinat:p G;TFh:g:q G;T bk tg:nat > y:g 
G;TF case(t, ty, te): yp: ¢ 


Then we need to augment the set of values with terms for natural number and 
recursion. In order to do this the equations in Definition 7.2.1 become 


Ax.t | z | S(vo) | next(v1) | box(t) 
Az.t | z|s(vr) | vivi | case(vi, vy, vf) | recr.vy 
| next(v2) | box(#) | unbox(v) 
Ua f= Av.t|2| S41) | Ore tyr | case(v1, v), UZ) | recx.01 
| next(Vn42) | box(t) | unbox(v,+1) | prev(un) 


Vo 
U1 


where k > 0 and uj, vj, vy’ are terms in Yj. 


Finally we extend the definition of staged evaluation with the following clauses: 


Stage 0: 
0 
thu t/a} Su 
0 0 
s(t) — s(u) recr.t > u 
geez thou 5 + s(s') tos! <> u 


0 0 
case(s,ty,t2) @u case(s,t),t2) @ u 
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Stage n+ 1: 
ntl n+1 n+1 
Eyre t — u t — u 
s(t) — s(u) recat — recx.u 


n+1 n+1 n+1 
sos Hot thot, 


case(s, ty, ta) a case(s, t1, ta) 


Obviously, stepping from temporal A-calculus to Mini-MLT some property of the 
typing get lost, for example the term recx.x can be easily shown of any type. This 
is the price we have to pay for a Turing complete calculus. 

Now we will briefly consider the most important properties that can be carried 
over to Mini-MLT. 


Proposition 7.4.1 (Subject Reduction) Mini-MLT enjoys subject reduction: 
G;T Ft: y:p andt“>u => Sa Ni eas sercohan 8 


Proof. Simply check that each additional clause in the definition of evaluation 
relation satisfies this property. Oo 


Lemma 7.4.2 (Value Lemma) For each Mini-MLT terms t and u, t Sus 
Wwe Vy. 


Proof. Proceed by induction on the derivation of t uw as in Lemma 7.2.9. oO 


Proposition 7.4.3 (Determinacy) 


k ky P 
touandteou = u=,u 


Proof. The statement follows easily by the observation that given any term ¢ and 


any number & exists at most one rule concluding with t - u for some termu. O 


Obviously we cannot prove the analogous of Proposition 7.2.12, indeed, in a big 
step reduction semantics, definiteness of reduction for a term ¢ implies termination 
of evaluation for t, and clearly we have diverging terms in Mini-MLT. Nevertheless 
it would be interesting to show that each non diverging term is evaluated by our se- 
mantics, this would provide a sort of correctness for the presentation of the reduction 
relation. 

To prove this last statement we proceed as follow, we introduce in Mini-MLT a 
new term stuck to denote an error during evaluation, then we add a new “meta” 
rule to our transition semantics 


k 
HBG SOR TE Ses AD DNC ae IO Herrick 


k 
t — stuck 
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k 
where we say that a rule (p) is applicable for t — if there exist terms t’, t),...,tn 
and ti,...,t/, not containing stuck such that: 
esd ty oS tt 
; (p) 
tat’ 


is an instance of (p). 

The reduction relation remains well defined since the premise of the rule (stuck) 
can be effectively computed, we simply have to check a finite number of rules for 
applicability to term t. 

In this way we are sure that for each term we can always apply a reduction rule. 
Moreover any term giving rise to an evaluation error is evaluated to stuck, indeed 
the only rule defined for the term stuck is (stuck) and this evaluate again to stuck. 

Observe that in this new setting, the evaluation process of a term t may have 


k k 
three distinct outcomes: t — v with v 4 stuck, t — stuck and t ps or if you prefer 
the evaluation of t diverge. 

Finally we prove that no well typed Mini-MLT is evaluated to stuck. 


Proposition 7.4.4 Given a Mini-MLT term t with G;T — t:y:p if t *. vy then 
v & stuck. 
Proof. Once one observes that stuck has no type, and so t # stuck, the proof 


proceeds along the same line of the one used for Proposition 7.2.12. oO 


Once we have precisely defined diverging terms we can prove the following. 


Proposition 7.4.5 (Binding time correctness) 
Let t be a closed non diverging Mini-MLT term, then, for some u and some k 


Lt:nat:p) => tis*(z)eV 
KF tOyp:po => ti next(u) EV 
Fe Oy: pp = > ti box(u) EV 
Ftwyopip => tlhaAruEenvn 


Proof. Follows immediately from value lemma, subject reduction and the assump- 
tion that t is non diverging. oO 


Another interesting property that carries over to Mini-MLT guarantee that terms 
are evaluated with a meaningful reduction order with respect to its typing. 


Proposition 7.4.6 Consider an MLT term t and a context T with T - t:y: pr. 


sees k h adn 
Consider also a derivation x of t — u, then for each t' — u’ occurring in 7 exists a 
contert I’ such that TI’ + t/: w: p,. Moreover I’ does not contain variables at po. 
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Proof. Proceeding by induction on 7 as in Proposition 7.2.10 and using a trivial 
extension of Lemma 7.1.3. Oo 


Now we examine some in way in which the power function can be staged. First 
take a non staged definition of power. 


let power: nat — nat — nat = 
recp. An.Ax. casen 
ofz =>1 
|s(m) > 2 *(pmz) 


we are here assuming the existence of a * function of type nat — nat — nat that 
multiplies its arguments. 

One sees immediately that it may be interesting to stage this function so to have 
power ni) Ax. x *---* a. We have at least two ways to proceed. 


n times 


Example 7.4.7 
Using the box(-) construct we can write a function powerc of type nat > O(nat > 
nat) that given n generates code to compute Ax.power x. 


let powerc: nat > O(nat — nat) = 
recp. An. casen 
ofz = box(Az.s(z)) 
| s(m) = let g = unbox(p m) in box(Az.x * (q £)) 


We can easily see by induction on the derivation of powerc n |} t, that t, = 
box(un) where uy is 


tig —S- ATiS(Z) 


adie Ss RE (yD) 


so that t, contains n trivial @ redexes that are not reduced in the evaluation. One 
can also see that, given the type constraint, there is no way to avoid the formation 
of such unwanted redexes. Indeed any recursive invocation of powerc will return 
code for a lambda abstraction that cannot be reduced appearing in the context of 
box constructor (recall that code substitution only reduce 0 redexes). O 


Example 7.4.8 Rather than a staging specification we prefer to consider powerc 
as a function producing closed code. If we are interested in a two stage version of 
power it may be convenient to specify the staging using O type. We will then be free 
to manipulate open “code” and will be probably able to produce a more efficient 
residual. 
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let powers: nat + O(nat > nat) = 
An. next (Ax. prev((rec p.Am. 
case m of 
z = next(s(z)) 
| s(m') > a * (pm’)) 


n)) 


Here we use the next(-) construct to quote the abstraction over x, then we use 
the prev(-) construct to unquote the application of n to the subterm (rec p....). We 
know by Corollary 7.2.13 that powers n |} next(t,) for some t, € Vj. Moreover, by 
definition of value of level 1, we also know that the subterm of powers unquoted by 
prev will be evaluate and will not appear in ty. 

One can easily prove that powers n |) next(v *---* x *S(Z)). oO 


n times 


Example 7.4.9 Consider now the case we want to stage the function pwpw = 
An.Am.power (power nm) so to have the computation depending on n performed 
in a first stage and the computation depending on m performed in a second stage. 

As for the power example we can follow two different approaches, we could 
define either a term pwpwc: nat > O(nat — O(nat — nat)) or a term pwpws: nat > 
O(nat — O(nat — nat)). 

For pwpwc we would have the trivial redexes we had also in powerc whereas 
pwpws would give more efficient residues for pwpws n and pwpw nm. But there is 
also another important difference. 

Whereas we can define pwpwe simply in terms of powerc 


let pwpwe: nat > O(nat — O(nat — nat)) = 
An.Am. unbox(powerc) (powerc nm) 


the same is not possible for pwpws since powers is bound to the stage in which 
it is defined and cannot be used in a different stage, but in this case we would to 
invoke powers in the first and in the second stage of evaluation. 

A different solution comes from the mixing of the two constructs, take 


let powersc: O(nat > O(nat — nat)) = box(powers) 


let pwpwsc: nat > O(nat > O(nat — nat)) = 
An. next (Am. unbox(powersc) (prev(unbox(powersc) n) m)) 


powersc is now code for a staged version of the power function and can be used 
at any time after its definition (i.e. it is cross stage persistent). The definition of 
pwpwsc is essentially the standard definition enriched with information regarding 
the evaluation of code and the staging of the evaluated code. 
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It is easy to see that 


pwpwsc n J next(Am. unbox(powersc) ((Av. xz * +++ * &*S(Z)) m)) 


n times 
(Am. unbox(powersc) ((Ar. a * +++ * %*S(z)) m)) md Ave xe KE 
n times m” times 


Chapter 8 


Temporal Logics in Logical 
Framework 


In this chapter we will consider some of the possible implementations of the the 
logical systems described in Chapter 3 and in Chapter 5 within logical frameworks. 
The emphasis will be on using the logical systems rather than proving properties 
about them, so using the terminology introduced in [BC93] we will consider logical 
frameworks rather than metalogical frameworks. 

We will start describing briefly the dependly typed A-calculus, this will be the 
system in which the object logics will be encoded. The paradigm of the encoding is 
the judgment-as-type: judgments of the object logic will correspond to types of the 
underlying logic (see [HHP93]). 


8.1 Dependently Typed A-calculus 


In our presentation we will follow [Pfe99]. This presentation differs from more 
standard formulations (see for instance [Bar92]) mainly in two aspects. 

First, equality is G7 rather than (, this complicates the theory of AP but sim- 
plifies the formulation of the encoding (complication of metatheory arise from the 
fact that 7 reductions do not preserve type). 

Second, A abstraction is not present at level of families, this will not have signif- 
icant impact on the system, it only simplifies the presentation. 

The abstract syntax of AP pseudo-terms is defined as follows: 


Terms ::= x | type | Ia: U.V | Ax: U.V | UV 


where x ranges over a set V of variables and U,V range over the set of pseudo-terms. 
In order to improve readability we will use the following syntactic conventions: 


e when x does not occur in V, we will write U — V for the term IIx: U.V; 


e the term Ix,,--- ,2,:U.V will be used as a shorthand for Iv: U.---Ux,:U.V. 
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AP terms are a subset of pseudo-terms defined by means of typing rules. Terms 
can be seen as living on three distinct levels: kinds, families and objects. To make the 
separation more clear we split the set V of variables in three disjoint sets Cr,Co, Vo 
whose elements will be called family constants, object constants and object variables 
respectively. 

As usual the term formation rules are given with respect to an assignment of 
type for variables (or basis in Barendregt’s terminology). Since, type declarations 
will have different intended meaning (some will be used to encode the object logic 
and some will be used to encode objects living within the object logic) we will record 
such declarations in two distinct lists: signatures and contexts. 

A signature is an ordered sequences 21: Uj,...,%p:U, where x; € Cr UCg and 
U; is a pseudo-terms. A context is an ordered sequence 71: Uj,...2%n: Uy, where each 
x; € Vo and each U; is a pseudo-term. 

Finally, the term formation rules, are given respect to a valid type assignment 
u;P where & is a signature and [ is a context. Valid signatures and contexts are 
inductively defined by means of formation rules, we will write /;T° valid to denote 
type assignments that can built by such formation rules. 

To avoid cluttering the rules with side conditions, we use different metavariables 
for terms, variables and constants of different levels: 


Level terms constants variables 
kinds FOTO ox, 
families A,B,... a,b,... 
objects MON cc -e.Cece, be eee 
Kinds 
yo; TP valid u;P A:type %;P,2: Ab K: kind 
;  - type: kind U3; 0 Ua: A.K: kind 
Families 
o;Cb K:kind a: kK Ed 
Bee hl care 
uu; A:type %;T,x2: A B: type MDF A2:B.K b;TEFM:B 
u; T+ IIx: A.B: type 4; + AM: K{M/zx} 
Objects 


x: Ae. &;T valid MPEM:0e:A.B U;PEN:A 
ere eA uo; MN: B{N/x} 
cAeExX YT valid o;CF A:type &©;30,2:Ab M:B 
ee ecA 3D Av: A.M: Ie: A.B 
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Equality 
STFU:V S;PEFV=EV°Ww 
oF U:V' 
where judgment ©}; V = V’:W denotes (@7-equality for typed terms V and V’ of 
type W. The introduction of the type of terms in the equality judgment is needed 
in order to get rid of the fact that G7 equality does not preserve type, the standard 
example is given by the term Az: A.(Ay: By). 
For more information on 37 equality in Pure Type Systems see [Geu92, Pfe99]. 


Valid Signatures and Contexts 
;T valid 4; A:type « ¢T 


-;+ valid ; 1, a: A valid 
3: valid %;- K:kind ag™® 3: valid %;-F A:type c¢ 
yi, a: K;- valid 1, c: A; - valid 


Standard properties of Pure Type Systems (see [Ber90]) can be proved also for 
this formulation of dependently typed A-calculus. 


Proposition 8.1.1 AP enjoys the following properties: 


Exchange 


If iy, 2: U1, y: Ue, He; VW and Xj, y: Ue; - valid 
then M4, y: Ud, x: U;, yo} TEV: W; 


If x Ty, 2: U1, y: U2, 12 -V:W and xy Ty,y: Uo, Pe valid 
then Dap Ty, y: Uo, x: U;, Ts EL V:W. 
Weakening 
IfU;TEU:V and d;T,W:W'valid then 3;T,W:W’EU:V. 


Substitution 


IfS;T,F U:V and 431, 2:V,T. + W: W' 
then %;T1,T2{U/a} |} W{U/2}:W'{U/c}. 


Moreover also the following holds. 


Proposition 8.1.2 (Decidability of typing) The typing relations of XP are de- 
cidable. 


The last property is of paramount importance for logical frameworks design. In- 
deed, since in these frameworks the encoding of logical systems follows the paradigm 
of proof checking as type checking, decidability of type checking at the level of the 
meta logic corresponds to decidability of proof checking at the level of object logic. 
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The main obstacle to decidability is given by the equality rule in which it is 
required to check if two terms are equal up to @7 conversion. This is solved by 
reducing each term to its canonical form (3 reduced 7 expanded form) and checking 
equality over canonical terms. 

For another reason canonical terms play an important role in the system. As we 
will see more precisely in the following, the AP terms resulting from the encoding of 
the object logic entities will be exactly the canonical terms inhabiting some specific 
type. 

In order to be able to reason about the result of such encodings, we give an 
inductive definition of canonical term. Before giving the formation rules for canonical 
terms we need an additional notion. 

Given a valid typing environment /;T and terms A, K such that ©;[F A: K, 
we say that A is a basic family if A is of the form aM,...M, for some a of arity n. 

The rules for the construction of canonical terms make use of the following 
judgments: 


u;EF A basic, denoting that A is a basic family 
Y;PFUtV, denoting that U is a canonical term of type V 
u;PFU|V, denoting that U is atomic of type V 


’ 


Canonical Objects 
yCFAtp}type 4;T,2:AFMY?B UTFKMIA A basic 
CF Ag: A.M 7+ Ix: A.B Cb M tf A 


Atomic Objects 
cAEX ev Aer 
MPrelA YPraelA 
STEM | Ue:AB Y;TENTTPA 
uo; MN | B{N/x} 


Canonical Families 
Y;PF Apt type U;T,2:At B:type UY; AI type A basic 
o; T+ IIx: A.B ft type uu; TF A } type 


Atomic Families 
—aKes STFA Me BK BEE MPB 
Ye asl 4; AM | K{M/z} 


8.2 Encoding in Dependently Typed A-calculus 


In this section we will define a AP signature ip to encode LTL formula, judgments 
and deductions. A similar approach for modal logics has been followed in [BMV98b, 
Mic97]. 
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8.2.1 Encoding Formulas 


In this section we define the set of AP terms used to represent formulas of LTL. This 
set is described by mean of a signature specifying a AP type for formulas and a set 
of constructors for logical connectives. 

First, we need a family for formulas, we will introduce for this a constant o, then 
we need a constructor for each connective of LTL. The resulting declarations will be 
recorded in a signature ip. 

Let “ir be the signature containing the following declarations: 


o: type bot: 0 next:0 > 0 
imp:0 ~0—0 box:0 > 0 
or:0 > 0-0 dia:0 > o 


and:0 —~ 0-0 


In order to complete the definition of the set of AP terms representing LTL 
formulas, we need a representation for propositional variables. Following standard 
practice, we choose to encode propositional variables with AP variables of type o. 

Assume given a map from the set of propositional variables £ to the set of object 
variables (Vo) that associates to each propositional variable a a distinct AP variable 
ae 

Then we can define the map '-' from the language of LTL formulas over L to 
AP pseudo-terms as follow: 


Tal=2o 
CL Dot 
ToAw'=and py! 
7) V yy _ org a 
"gy! =imp'y Ty! 
"Oy!=next'y'! 


Oy'=box'y'! 
Ow) =dia' yg! 


In order to establish the correctness of the map, we need a reprentation of the 
set of free variables of a formula, first we introduce a bit of notation. 

Given a set of propositional variables X = {a1,...,Q,}, we will write I, for the 
AP environment {%,:0,..-;La,:0}- 

The following proposition states that the map "-' is well defined over the set of 
canonical AP terms. 


Proposition 8.2.1 Let y be an LTL formula with propositional variables in X, 
then 
Spel x Pleo 
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i.e. the encoding of y 1s a AP canonical term in the typing environment Ur; Tx. 


Proof. Follows easily by induction on y. 
If y is a propositional variable a, then clearly Up; r%g:of La ft oO. 
Consider now the case y = W1 A We, then, by induction hypothesis, 


Ur Tx F Ty, ' fo, Ur Ex F Tye! fo. 


Then, by definition of canonical term, Up; Ty - and’ yy, "w.! | 0, and since o is an 
atomic family, we also have Up;TPx F andy, "we! fo. 
The other cases can be proved in the same way. Oo 


The following theorem establish a stronger property for "-', namely its faithful- 
ness over the set of canonical terms of type o. 


Proposition 8.2.2 Let X be a set of propositional variables, then"-'| is a byjection 
among LTL formulas with propositional variables in X and canonical AP terms of 
type o in Ups Tx. 


Proof. This amount to prove that '-' is injective and that for each AP term M, if 
Ur; Tx & M 7} o, there exists an LTL formula y with propositional variables in X 
such that M ="! 

The fact that "-1 is injective follows immediately from its definition. 

In order to show that it is surjective on the set of canonical terms, we build its 
inverse proceeding by induction on the construction of ;Cx F M to. 

The only possibility is to have ©;Ix | M | o and we have three cases: 


e M =v2x for some x € T'y and then M ='a' for some a €_X; 


e M =c for some c € © such that );Ty - c:0 so that it must be M = bot = 
ie a 


e M = N,No with ©;T x F N, | Ix: A.o and ©;Tx - No ft} A. Now, since the 
only family in /;T is o, A must be o and by induction hypothesis Ng = 'w! 
for some w2 with propositional variables in X. 


For N, we have two possibilities, either N; is a constant (and then it can only 
be one of next, box and dia) or it is PoP, with &;Ty F Po | Ix: A.o > o 
and &;Ty - P, 7} A. In the former case, trivially either M = "Oy! or 
M="Tiws Yor M =" Owe". 

In the latter, again it must be A = o and by inductive hypothesis P, = "1! 


for some w, with propositional variables in X. Now Po can only be one of 
the constants in © of type o — o — o so that M will one of the following 


To Ave", U1 V Yo! U1 > Yo". oO 


Finally, with the following proposition, we have that "-'is a compositional bi- 
jection among LTL formulas and canonical AP terms of type o. 
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Proposition 8.2.3 The map ‘-' is compositional. More formally, consider ip, w 
LTL formulas with propositional variables among X anda a propositional variable 
in X, then 

Tetb/ap =p {ye / xa} 
Proof. By induction on yp. 


If p =a, "p{p/ap = "b= tol Pb /ta} =P NY Varah. 
Consider the case y = ¥1 A 2, then, using the induction hypothesis for y; and 
(2, we have: 


“(pi A ga){v/a}! ="pi{y/a} A po{b/a} "= 

and’ pi {y/a}™ po{y/a} = 

and gr {ob / ta} po {OU /tat = 

(and™ yi y2"){"b /tat = "pi A gov / ra} 


The other cases are similar. | 


Even if rather obvious, the compositionality of "- is an important property. If it 
would fail we hardly could represent generic proof rules and generic proofs. Assume 
indeed we have an object M represting some formula y with propositional variable 
a. We would expect to be able to represent the formula y{w/a}, compositionality 
says precisely that such formula is represented by the AP object M{" N/a}. 

The syntax poses no difficulties (in particular we do not have to deal with higher 
order operators), following the same approach '-' can be extended also to formulas 
of temporal logics described in Chapter 5. 

With abuse of notation in the following we will also write "x A y' when x and 
y are AP terms of type o with the obvious meaning. The same convention will also 
be used for the other syntactic objects for which we will define an encoding later. 


8.2.2 Encoding Judgments 


In order to encode judgments we extend the signature ip with the family of world 
variables, the family of judgments and with constructors for the four kinds of judg- 
ments used in the natural deduction systems for temporal logics: 


w: type R:w > w-j Swmwg 
j: type F:w- 07 j BR:w-w- j 


Assume given a function from the set of world variables to Vo that takes world 
variable p to AP variable y,. Then we can define a map among LTL judgements 
and terms of type 7 as follow: 


"pRq'= Rypyq 
"p R* ¢! = Sypyq 
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“p= q!= EypYq 
"p.p'=Fy,' ¢' 


Given a set of world variables Y = {pj, po,..-,Pn}, we will denote with Ty the 
AP environment {Yp,: W, Ypo? Wy +++) Vpn: Wh. 

Again '-' is a compositional bijection among canonical \P terms of type 7 and 
LTL judgments, as stated by the two following propositions. 


Proposition 8.2.4 Let X be a set of propositional variables and Y a set of world 
variables, then we have the following. 

If J is a judgment with propositional variables in X and world variables in Y, 
then UR} Ty, Ty iE es ie 7. 

Conversely if Up; y,Tyk M 7} 7 there exists an LTL judgment J with propo- 
sitional variables in X and world variables in Y, such that’ J'= M. 


Proof. We prove first that "7 ¢} 7. There are different cases according to the 
shape of 7 


elf FJ=pRqaorJ=pR* qo J = (p=q), clearly we have Up;Ty HJ ' fH 
aE 

e if 7 =p: ¢, by Proposition 8.2.1, we have Up; Ty F "py 'f} o and by definition 
of canonical term also Up;Tx,Pyt Fy yp! t J. 

Conversely proceed by induction on the proof of %;Ty,ly ' M qj. Since the 

only constructors for 7 are R,S,E and F’, we have only one of the following cases 

e M = RN,Np with &;Ty,Py + N, fw and Y;Ty,Tyt No tw. Clearly both 
N, and N2 must belong to Y so that M ="p Rq' for some p and gq such that 
Ni p'and No ="q'; 


e M = SN,Ng, as above, it must be M = "p R* q' for some p and q such that 
Nr =p and No.="q: 


e M = EN,No, as above, it must be M = "p = q' for some p and q such that 
N,='"p'and No ="q'; 


e M = FN,No, with U;Tx,Ty | NM, ft w and &;Ty,Py | No ft o. Using 
Proposition 8.2.2 we immediately have No ='y'for some y and M ="p:y'! 
for some p such that "p'= Nj. Oo 


Proposition 8.2.5 "-'7s compositional with respect to both propositional variables 
and world variables. 

More precisely, if X, Y are sets of propositional variables and world variables 
respectively, J is a judgment on X,Y, yp 1s a formula on X, p,q are world variables 
and a a propositional variable, we have 


TF{pfay ="F'4eVtop TF {a/py 1 ="T {a / yp} 
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Proof. For the first identity the in case that 7 is a relational there is nothing to 
prove, so assume J = p:w, then using Proposition 8.2.3 we immediately have: 


"T{e/a} =p: p{y/a} = Fy ee Vtat = Te ea} 
For the second identity assume that 7 is of the form po R qo, then we have 


"(po R qo){a/p}" = RT po{a/p} “ gota/p} | = 
= Rwp.{"q / Wp} Wal" F '/ Wp} = "Po R q {4/P}- 


The remaining cases are similar. Oo 


World variables resemble term variables in first order logic since they have their 
own sort and occur in judgments as term variables occur in formulas. Anyway there 
is an important difference that makes the syntax of judgments quite simpler to treat, 
there are no binders (at the level of judgments) for world variables. 

With abuse of notation we will sometime mix (within "-') \P variables represent- 
ing world variables with world variables and AP variables representing propositional 
variables with propositional variables. 

This will permit to gain in readability writing for instance 


IIp:w.ILA, B:0.T'p: A! Tp: B' aT p: AA B! 


instead of 
Ip: w.IIA, B:0.T"p: A'— T'p: B' > T(Fp(and AB)) 


8.2.3. Encoding Provability 


In order to encode deductions we extend the signature Up with a dependent type 
family and terms corresponding to the rules of the proof system. 


Families for deductions 
T: 7 — type 


Inhabitants of Tp: y | will be deduction of p: y. Before defining how deductions 
will be encoded we have to decide how to keep track of the set of open assumptions. 

We assume that each judgmente that is open in the deduction is labelled by a 
different symbol, we will depict such labelling using a superscript. 

Let [ = {77",..., 477} be a set of assumptions (labelled with z1,...,2)) with 
propositional variables in X and world variables in Y. We define "I"! as the sequence 
{2u:T" J, ',...,2n:T" In |} where the elements of the sequence are arranged in a 
fixed arbitrary order (we can assume that the set of symbols labelling assumptions 
is endowed of such an order). 

Clearly, in virtue of the exchange property of AP, the chosen order does not 
matter from the point of view of provability, and moreover, disregarding the chosen 
order, we have the following proposition. 
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Proposition 8.2.6 Given a set of assumptions [ with propositional variables in X 
and world variables in Y, Sp; Ux,Ty,'T! 1s a valid AP context. 


Proof. Since Up; Ty,Ty is a valid context it is sufficient to show that Up; Ty,Pyt 
T' J *:type. This follows easily from “pt Tj — type and Proposition 8.2.4. oO 


Deductions in NK-LTL of G;T F p:y will be encoded as AP objects of type 
Tp: p ‘under the context Up; Ty,ly,'G;0' where X and Y are the sets of propo- 
sitional variables and world variables, respectively, occurring in G;[F p: y. 

The axiom rule for NK-LTL deductions is represented by means of the AP axiom 
rule, so that the trivial deduction p: y* is encoded as 


ed x Py ee pie eed pee. 


In order to represent the other formation rules for NK-—LTL we extend the sig- 
nature Up with the objects listed in the following paragraphs. 


Objects for propositional rules 


and;: IIp:w.A, B:o0.Tp:A'— Tp: B' = Tp: ANB" 
and,g;: Ip: w.IIA, B:0.T p: AA B'— Tp: A 
and,,: Ip: w.A, B:0.T p: AA B'— T' B" 
ory: Up: w.A, B:0.Tp: A'— Tp: AV Bo 
or;,: Ip: w.ILA, B:0.T"p: B' 3 Tp: AV B" 
org: Up: wIA, B,C:0.T p: AV B'— 

(Tp: Al'oTT pC) (Tp BIoaT pC) oT pC 
imp;:IIp: w.ILA, B:o0.(T" p: A! T'p: B!) = Tp: A B 
imp,:IIp:w.IlA, B:0.Tp: A> B' oT p:A'o Tp: B! 
botg: IIp, g: w.ILA: 0.(T" p: 7A! — T'¢: bot!) — Tp: A 


The key ideas here is that of viewing inference rules as proofs of higher order 
judgments (see [HHP93]). More precisely two kinds of higher order judgments are 
used: hypothetical judgments to represent premises of rules that discharge assump- 
tions and schematic judgments to represent the genericity of proof rules. 

These are the same objects that one obtains encoding ND-PROP, the only dif- 
ference is given by the quantification over the world variable that is necessary here 
since we deal with labelled formulas and not formulas. 


Objects for modal rules 


next: Ip: w.A:0.(Ig:w.T p Rq!—T'¢: A!) 3 T p:OA'! 
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nextg: p,q: w.IIA:0.T p:0oA!oT pRq!'-T'g¢:A' 
box;: Ip: w.IA: 0.(Ilq:w.T p R* q’ > T'¢:A!) ~T p:oA! 
boxg: Ip, g:w IIA: 0.T p:0O A! Tp R* qq! 3 T'¢:A' 
diay: Ip,g:w.IA:0.T"¢:A'—-~ Tp R* q'-T'p:OA'! 
diag: IIp, g: w.IIA, B:0.T p:O A! 
UIr:w.Tr:A'1oTpR rr! 5T@¢: B) 3T Gg: B! 


Here the parallel among world variables and variables of predicate logic is quite 
clear. If one forget about the relational part, the types of these objects are the same 
types of the terms reprenting quantifiers of ND-PRED. More precisely, next;, box,, 
next, boxg closely correspond to the terms encodind universal quantifier of ND- 
PRED and diay, diag closely correspond to the terms encoding existential quantifier 
of ND-PRED. 

It is worth noticing that there is another way to obtain (almost) the same rules. 
One could consider the first order translation of LTL and encode in AP the terms 
resulting from such translation. 

Anyway there is an important difference among our approach and the approach 
sketched above. In the former we have a sort for LTE formulas and there is no 
way to exit from the syntax of LTL. In the latter we would only have first order 
formulas (some of which would be the encoding of an LTL formula) and we would 
need some external machinery in order to guarantee that the manipulated objects 
always represent LTL formulas. 


Objects for relational rules 
relp: ILA: o.Ip,q:w.(Ir:w.Tq Rr! Tp: A!) > Tp: A! 
rely: ILA: o.Ip,q:w.(T'q¢ R* q'— Tp: A?) 3 Tp: A’ 
rely: ILA: o.IIp, qi, qe, g3: w-T" q, R* gg! T" qo R* q3!— 
(T'q R* qa! Tp: A) 3 Tp: A! 
rely: TA: ollp,q,r:w.TqRr'i- (Tq Rr’ Tp: A!) oT p: Al 
relj,g: ILA: o. Ip, q:w.T" p R* q!— T'p: A'— 
(UIr,s:w.T p Riri oT r Rs toTr:A!oT's: A!) 3 TGA! 
rely: ITA: o.Ilq, 1, po,p:w.T'¢q Rp,'- Tq R po! 
(T'p, Rpg'—> Tp: A!) > Tp: A!) 
rely, :ILA: 0, Up,g.w(T p=p!- Tg: A!) —T'¢:A' 
relp, IITA: 0.11 pi, po, ps, q: w.T" pi = po '— T" ps = po! 
(T'p, =p3'> Tg: A!) 3 T'¢: Al 
And finally, for each kind of judgment we have rules stating the substitutivity of 


equal world variables, for instance 


subst;:I1A:0.p,¢g.T'p=q'!—-T'p: A! T'¢:A' 
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subste: ITA: 0. Ip, po, g,r:w.T" p, = po' > T'p, Rq'- 
(Tp RqioTr: A) oT r: At 


The set of objects above immediately gives us an inductive encoding '-' from 
NK-—LTL deductions to AP terms. We spell out in details some of the inductive 
clauses: 


| TT | up) 
if 7 =? 7 a , 'wl=andy gpa "19! 
[p: »*] 
hi 
if m= Fe Simpy VY Ou Tp bn); 
pyre 
pq 
| 
if 7 = a ,. “aS nextry, py woe le hg a) 
pO 
| 
if «= oe, 5 Hd , 'rl=nextz ypyg yp 1" 12; 
la: e""|[p R* q?| 
| Ty | 72 
if to O¥ Po: 
Po: Y 


Ma = diag yng GUY mi Avg W Az ap Aza pe" g 12"); 


[p R* p7'\[p1 R pF \[pr: v*] 
| TY | v1) 


gs i Pe EP poi P 
= ae — : 


z 


a) =relind YP YpYg2"™ | 
(Apis Vast Asi Tp A pi Age pr Ape Aga i” pig as): 


Finally it can be seen that the proposed encoding is faithful. 
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Proposition 8.2.7 Let a be an NK-LTL deduction of p:p with open assumptions 
{Fp",..., Fr}. Let X be the set of propositional variables occurring in 7 and Y 
the set of world variables in x. Then we have 


ped el yee teeta ae ae Ep 
Conversely, assume that for some AP terms M,N we have 
UP; Ix, ly, zy: aT ee T Ix | f M tt T" p: pl, 


for some p and y then there exists an NK-LTL deduction 7 of J,,...T% pi such 
that'a!=M. 


Proof. Due to the number of objects in Up the proof is quite lenghtly and boring, 
so we only sketch the proof and do not consider each possible rule occurring in 7. 


=> ) To prove the first statement we proceed by induction on the definition of 
Pp 
First observe that 7" p:y! is an atomic type, so it is sufficient to prove 
Bel yyy eid hh. eee” Oy ee pee, 


The base case is given by the trivial deduction, and we immediately have 
Serly ly, 22 pel Fel Tee, 


since z is an atomic object of basic type. 


In the remaining cases M will be of the form cN,...N;, with c some object 
in ip of arity h representing a proof rule and Nj,..., Np, of type Aj,..., Ax 
respectively, the arguments of c. 


Now, for any possible c we immediately have 
Mpls ye ei i wae Oe eel pe 
hence it is sufficient to show 
Ser el yet Gi wt Ig IN eG 


for each 7 € [1... A]. 
By inspection on the objects in -e we know that the only possibilities for N; 
are the following: 
e N; = ‘7x’! for some x’ subdeduction of 7, and, applying inductive hy- 
pothesis, we know that N; is a canonical object; 


e N; is the encoding of a world variable, then it must be a variable of atomic 
type w, hence a canonical object; 
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e N; is the encoding of an LTL formula, then, by 8.2.1, N; is a canonical 
object of type o; 


e JN; is obtained by abstracting the encoding of a deduction over an atomic 
family (either w or o or T'w' for some w). Again, by induction hypoth- 
esis, we can conclude JN; is canonical. 


<= ) In order to prove the second statement we need to strenghten slightly the 
assertion, we prove that whenever 


UF} Ty, ly, ZY: (ee eae - 1+ 2k: fay oe + M tt TN 
we have one of the following: 


e N='p:y'for some p and y and M ='7' for some deduction 7 of p: y; 
e N='pRq' for some p and gq and M = z; for some deduction 7; 


e N ='p R* q' for some p and g and M = 2z; for some deduction 7; 


e N='p=q' for some p and q and M = z; for some deduction 2; 
First, since T'N is not of the form IIz: A.P, we must have 


UF; Py Pes ail” fy, one wee Fe +t M i} TN. 


Then the base case is given by M = z, in this case we must have z = z; for 
some i € |[1...k], and clearly M is either the encoding of a trivial deduction 
p: p* or the encoding of a relational judgment z: 7. 


If M is not a variable, since the only costants in Up that have type concluding 
with 7" p: yp! are those representing proof rules, it must be M = cN,... Np 
with c some constant in ip of arity h and 


pA ey eee od, eee oe Ne ae 


for each i € [1... A]. 


Now, by inspection of the types of the possible constants c, we know that A; 
can only be one of the following: 


e o, and, by 8.2.2, N; ="w'! for some formula w; 


e w, and, since the only term of type w are variables, N; is the encoding of 
a world variable; 


Tq: wv ' for some q and y, in this case, by induction hypothesis, N; = ' 7; | 
for some deduction 7; of g: Vv; 


e TI" J ' for some relational judgment 7, and since the only terms of this 
type are variable, we N; = z for some / € [1...k]; 
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e \z\: By... Az: B).Nj where each B; is a canonical family and Nj ¢} TB. 
Again by induction hypothesis, B = "q:w' for some q and some w and 
Nj is the encoding of a deduction of q: wv. 


Finally we obtain the deduction 7 applying the rule encoded by constant c to 
the deductions encoded by the arguments. Oo 


Observe that we have a bijecton among NK—LTL deductions of p: y and canonical 
terms of T' p:y'. Instead it is not true in general that each canonical term of type 
TJ (with J: 7) is the encoding of an NK-LTL deduction. Indeed we have canonical 
objects for T(Rypy,) but these do not encode any deduction. 

Finally we show that the map '-' is compositional with respect to deductions, 
formulas and world variables. 


Proposition 8.2.8 Leta be an NK-LTL deduction of G; - p:y, then we have the 
following: 


e for each pair of world variables r,s 
a{s/r y=" {ys/Yr}- 
e for each propositional variable a and for each LTL formula w, 
Taip/ay =a yp Yt}. 
e for each assumption "q:w % in T and for each mo of q:W, 


Malay 2h ag eh 


Proof. The proof is simple but quite long, due to the great number of proof rules. 
For sake of conciseness we consider only the last statement and sketch briefly the 
possibile cases. 

We Proceed by induction on the proof 7. 

The base case is given by the trivial proof, in this case, "7 != z’ and we have 
two possibilities. Either z = z’ and "a{m/z}’ = 'a', or z # 2’ and clearly 
“a{mo/z}'= 2’. In any case the statement follows easily. 

Assume 7 is obtained by the application of rule (~) to deductions 71, ..., 7, then 
m{mo/z} is obtained by applying rule (p) to deductions 71, {7/z},..., Te{70/z}.- 

By definition of "-', we have "r{"7 /z}1 = cN,...N, and'a!1=cM,...Mp 
where each M; and N; are either the encoding of a formula or the encoding of a 
world variable or the encoding of some deductions 7; and 7;{79/z} respectively. 

Now, if Ny = "ai{70/z}', applying inductive hypothesis, we immediately have 
Nea ag Ye} = MF mo Zz}: 

In any other case, since no proof variable may occur in the terms encoding 
formulas and world variables, we have N;, = My, = Mz{" 7 /z}. 
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Concluding 


Var{ao/z}1=cN,...Ny = cMi{"m Vz}...Mi{" 1 Vz} 
= (EMa 0M 4 ag eh Sr fag Vet 
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